Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Connect Directly
E-Mail vvv

Why We Need In-depth SAP Security Training

SAP and Oracle are releasing tons of patches every month, but are enterprises up to this complex task? I have my doubts.

One of the biggest cybersecurity surprises of note is the large number of breaches announced this year that, according to fact-finding at The Onapsis Research Labs, were exposed through SAP and other enterprise ERP systems.

A month ago, new evidence came to light about a high profile two-year-old breach at US Investigations Services (USIS), a contractor in charge of conducting federal background checks. The USIS breach made headlines because it was the first public proof that an SAP vulnerability was the origin of an attack leading to the theft of personal information about federal employees and contractors with access to classified intelligence.

Weeks later we heard about a new breach, this time directly against the Office of Personnel Management, compromising 4 million current and former federal employees’ personal information. Subsequent reports disclosed that the exposed information could be even more widespread. In a letter to OPM Director J. David Cox, national president of the American Federation of Government Employees (AFGE) claimed “Based on the sketchy information OPM has provided, we believe that the Central Personnel of Data File [CPDF] was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”

These are not isolated cases. And while I cannot confirm which kind of system OPM is using for the CPDF database, taking into account public information, most likely OPM is using an ERP-based system to hold and report federal employment statistics.

More concerning, the last weeks have shown that business-critical applications are rapidly becoming one of the most valuable targets for cybercriminals and cyberespionage. SAP and Oracle are releasing tons of patches every month, but are enterprises up to the task? As these enterprises contain complex infrastructures and patching and configuration are complex tasks, I have my doubts.

In order to properly secure these enterprise applications against these and other threats, many things need to happen within a company, among them:

  • a strict patch management process 
  • security and configurations change management processes, and 
  • a security threats monitoring program.

There are also many actors within the SAP security landscape, all of whom need to understand the latest cybersecurity risks affecting SAP systems. Four key issues for key players include:

IT Security & CISO
If you are part of the IT Security staff, or even the CISO, then you are probably familiar with feeling a lack of control around the security of your SAP landscapes. Understanding the risks and how to mitigate them is a powerful tool necessary for gaining visibility into the most critical systems of the company.

SAP BASIS Administrators
System configurations, implementation of patches, system upgrades and other tasks are very relevant from a security standpoint, as they could have a big impact to how secure the systems eventually are over time. It’s important to understand which of the changes or actions you apply on the systems could actually have negative impact in terms of security.

System Auditors
If you are an auditor, you should know that most of the big auditing firms are already including SAP cybersecurity as part of their audits. Understanding how to audit the technical layer will eventually become a requirement for security audits of SAP systems.

Penetration Testers
While doing external or internal penetration tests, and depending on the scope defined by your client, you will likely find SAP systems connected to the network. Because SAP systems are part of a complex scenario, you need to understand all components, and how each one could be vulnerable, depending on the patches and configurations that were applied. This will clearly define how successful an SAP penetration test would be.

[Learn more from JP about how to assess, exploit and defend SAP platforms during his training session on SAP-specific attacks and protection techniques, Black Hat 2015, Las Vegas August 3-4.]

Juan Pablo leads the research & development teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Blog Voyage
Blog Voyage,
User Rank: Strategist
7/3/2015 | 2:51:32 AM
Very nice stuff. So technical but very nice.
User Rank: Apprentice
7/2/2015 | 6:15:39 AM

Read here you will be more satisfied
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.