OPINION: Securing your SAP without modifying your environment

SAP is the most popular business application with more than 120.000 customers in all verticals. 74% of Forbes 500 businesses rely on the platform. Because SAP plays such a vital role in your business and hackers focus on the low-hanging fruit – your application infrastructure – you need to know how to improve the security of your SAP applications.

The challenge of securing SAP applications

SAP applications are usually quite sensitive and vulnerable. SAP has released more than 3.300 security patches, all versions included. While SAP continuously releases security patches – 30 per month on average, over 46 percent of which were ranked as high priority (2014 SAP Security Advisories – A Year in Review and Future Trends), these patches tend not be applied.

For the most part, this has to do with the expected adverse effect they will have on application functionality in custom environments. Indeed, administrators worry that applying patches may generate bugs and regressions. As a consequence, many decide not to apply them. Such organizations remain exposed to the exploitation by hackers of some old vulnerabilities.

In May 2016, the Department of Homeland Security issued an alert about a 5-year-old SAP vulnerability that is still being exploited (Alert TA16-132A). According to ONAPSIS, an SAP-security vendor:

“The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems.”

Wild exploitation & Cyber-attacks on SAP business applications, ONAPSIS.

A vulnerable SAP application could lead to full compromise of the company’s business critical information. Fortunately, there is a way for businesses to protect themselves, even without modifying their SAP environment.

Deploy a central point of control to secure all your SAP applications

Even if you have a dedicated SAP security team, they will likely focus on enforcing user roles and authorizations. Most of the SAP security teams do not have the expertise needed, and the right skills or tools to deal with advanced web attacks.

Here are a few steps you can take to better secure your critical SAP applications:

  • Scan your applications to identify all the network, system, and application vulnerabilities that hackers will try to leverage to attack your SAP infrastructure,
  • Use a reverse proxy based WAF to prevent the exploitation of SAP vulnerabilities, and to be protected against advanced web attacks targeting the application layer such as DDoS or Cross-site scripting attacks (XSS),
  • Use threat intelligence to optimize the performance of your WAF, by reducing the number of false positives, blocking malicious bots and adjusting the authentication and security policies based on user context and behavior,
  • Prevent the unnecessary disclosure of SAP information by hiding internal URIs (/sap/bc/gui, /sap/bc/bsp, etc ), blocking banners and routing traffic to internal services in order to avoid being crawled by search engines and bad bots,
  • Adjust policy to infrastructure specificities by de-encoding base 64 parameters and avoiding false positives with pre-defined exceptions,
  • Enforce user access policy by adjusting authentication methods to user context and monitoring user behavior to prevent illegal actions,
  • Look for indicators of compromise resulting from the exploitation of vulnerabilities.

If you need more details on these points, listen to the video recording of our SAP Webinar, during which DenyAll CTO Vincent Maury and CMO Stéphane de Saint Albin explain specifically  what you can do to secure your SAP environments:

how to defend against sap vulnerabilities

Xavier Quoniam, Marketing Manager on Linkedin
Xavier Quoniam, Marketing Manager
Xavier is our Marketing Manager. He is passionate about disruptive technologies that transform how companies communicate. He brings us its passion, curiosity, and fresh ideas to promote DenyAll and Cloud Protector at its best.

By continuing to browse on our website, you agree to the use of Cookies for: (i) the operation and interactivity of our website, (ii) measuring the audience of our website and analyse your browsing. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close