Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Connect Directly
E-Mail vvv

Why We Need In-depth SAP Security Training

SAP and Oracle are releasing tons of patches every month, but are enterprises up to this complex task? I have my doubts.

One of the biggest cybersecurity surprises of note is the large number of breaches announced this year that, according to fact-finding at The Onapsis Research Labs, were exposed through SAP and other enterprise ERP systems.

A month ago, new evidence came to light about a high profile two-year-old breach at US Investigations Services (USIS), a contractor in charge of conducting federal background checks. The USIS breach made headlines because it was the first public proof that an SAP vulnerability was the origin of an attack leading to the theft of personal information about federal employees and contractors with access to classified intelligence.

Weeks later we heard about a new breach, this time directly against the Office of Personnel Management, compromising 4 million current and former federal employees’ personal information. Subsequent reports disclosed that the exposed information could be even more widespread. In a letter to OPM Director J. David Cox, national president of the American Federation of Government Employees (AFGE) claimed “Based on the sketchy information OPM has provided, we believe that the Central Personnel of Data File [CPDF] was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”

These are not isolated cases. And while I cannot confirm which kind of system OPM is using for the CPDF database, taking into account public information, most likely OPM is using an ERP-based system to hold and report federal employment statistics.

More concerning, the last weeks have shown that business-critical applications are rapidly becoming one of the most valuable targets for cybercriminals and cyberespionage. SAP and Oracle are releasing tons of patches every month, but are enterprises up to the task? As these enterprises contain complex infrastructures and patching and configuration are complex tasks, I have my doubts.

In order to properly secure these enterprise applications against these and other threats, many things need to happen within a company, among them:

  • a strict patch management process 
  • security and configurations change management processes, and 
  • a security threats monitoring program.

There are also many actors within the SAP security landscape, all of whom need to understand the latest cybersecurity risks affecting SAP systems. Four key issues for key players include:

IT Security & CISO
If you are part of the IT Security staff, or even the CISO, then you are probably familiar with feeling a lack of control around the security of your SAP landscapes. Understanding the risks and how to mitigate them is a powerful tool necessary for gaining visibility into the most critical systems of the company.

SAP BASIS Administrators
System configurations, implementation of patches, system upgrades and other tasks are very relevant from a security standpoint, as they could have a big impact to how secure the systems eventually are over time. It’s important to understand which of the changes or actions you apply on the systems could actually have negative impact in terms of security.

System Auditors
If you are an auditor, you should know that most of the big auditing firms are already including SAP cybersecurity as part of their audits. Understanding how to audit the technical layer will eventually become a requirement for security audits of SAP systems.

Penetration Testers
While doing external or internal penetration tests, and depending on the scope defined by your client, you will likely find SAP systems connected to the network. Because SAP systems are part of a complex scenario, you need to understand all components, and how each one could be vulnerable, depending on the patches and configurations that were applied. This will clearly define how successful an SAP penetration test would be.

[Learn more from JP about how to assess, exploit and defend SAP platforms during his training session on SAP-specific attacks and protection techniques, Black Hat 2015, Las Vegas August 3-4.]

Juan Pablo leads the research & development teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Blog Voyage
Blog Voyage,
User Rank: Strategist
7/3/2015 | 2:51:32 AM
Very nice stuff. So technical but very nice.
User Rank: Apprentice
7/2/2015 | 6:15:39 AM

Read here you will be more satisfied
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
PUBLISHED: 2020-04-05
PRTG Network Monitor before allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.