SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.
At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.
This month 17 Security Notes were published by SAP (taking into account 1 Support Package Note and 16 Patch Day Notes). There were four notes reported by external researchers, Onapsis Research Labs reported 1 of the four notes (2009696) a XSS vulnerability in SAP HANA by Will Vandevanter.
As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.
I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.
This blog is the second in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.
As I mentioned in my first post in this series, the typical reaction of a business when asked about the security of their SAP systems is to refer to the SoD checks they do. That is the testing they do to ensure proper Segregation of Duties is enforced; which is, the system has the logic in place to prevent fraud – so the person who submits an expense report cannot approve it as well, for example.
Given 10 years of dealing with buffer overflows, ClientSide attacks, SQLi and numerous other ways to exploit weaknesses in how systems have been coded and implemented, I was more than a little surprised to learn that the testing of the underlying SAP applications and their configuration was not common practice.
There are numerous presentations and articles online that talk about the day SAP released 500 notes; and those that talk about the current rate at which SAP releases their notes. Suffice it to say that SAP is a large and mature technology that has the typical amount of issues of any large and mature technology.