In the last 20 years, the software ecosystem has invested billions of dollars increasing software security using automate updates. Is your SAP systems protected?
A guest post by John Appleby
You may have opened your laptop in the last month only to be notified that your computer has automatically updated for your security. It wasn’t always this way - 20 years ago, your PC had to be manually updated, and this opened up your computer to be vulnerable to attackers, looking for ways into your private information.
In the last 20 years, the software ecosystem has invested billions of dollars to both reduce the attack vector of software with bugs which allow access to sensitive information, and in software which automatically updates to keep you protected without needing to apply manual updates.
What they found was that the average person doesn’t understand the risk of not updating, or thinks it won’t happen to them, so they didn’t do it themselves. Much the same happens with manufacturer recalls for food and cars, which is why car manufacturers spend so much time contacting you to let you know your car needs a fix for a leaking fuel tank.
However SAP has not followed this trend - instead, assuming that customers will secure their own systems, keeping them up to date and changing settings so they are secure. There are some customers who are very disciplined in this respect, especially those that operate in industries where the risk is very high, like Pharmaceuticals and Government.
As the latest Onapsis report details, the vast majority of SAP customers simply don’t do this, not because they don’t care, but because it is so incredibly complicated to keep their SAP system secure. Here are some key areas which need to be considered.
Platform - Operating System and DatabaseMany of the major Operating Systems like SUSE Linux have SAP-specific installations. You would think this would improve security, but it means that customers can’t use a “standard” build for these systems, which often has their Enterprise Security best practices built in. And once a new security fix is done to the “standard” build for your business, it also needs applying to the SAP-specific installations. Unfortunately, customers often miss this critical step.
The same applies to databases, they have to be running specific versions of the database software to be supported by SAP, which is an especially critical issue with Oracle because the Oracle security fixes are often conflicting with the SAP fixes that have to be applied. SAP often requires hundreds of such fixes to be applied, and this opens up the systems to be missing critical security fixes.
SAP Settings & ParametersSAP has an enormous amount of settings - tens of thousands, which can be applied. Many of these are configured out the box at the time of installation, and so in a typical enterprise, every SAP system is different. They are also applied in a plethora of different places (SAP Kernel, Profile Parameters, Configuration Files, etc.) and whilst businesses have a “best practice” configuration sheet, this is a manual process and audits are notoriously time consuming.
There are three major types of SAP updates
- Support Package Stacks
- SAP Notes
A version of SAP has a support horizon; the most common SAP software, SAP Business Suite 7.0, has a support horizon until 2025, which is when it will have security updates produced until. Of course, many customers run older versions of SAP which are beyond support and don’t have security updates available.
SAP provides most security fixes via Support Package Stacks, which are a collection of software updates bundled into a pack. They typically impact millions of lines of code, and the beauty of SAP is that you can customize anything - including SAP-delivered code. This means that Support Package Stacks are notoriously expensive to apply, and unlike Windows Update, customers typically apply them semi-annually, annually, or not at all.
Some security fixes are also delivered as SAP Notes, or “Hot News”, which can be manually applied to a system. They typically only impact hundreds or thousands of lines of code, so it is often possible to apply them with minimal testing, but your SAP operations team have to be on the lookout for these fixes.
Why are SAP systems so insecure?Hopefully it is now easy to understand why SAP systems are so insecure: they are so complicated, so bespoke to your business, and relatively difficult to update, and this means that customers simply don’t know that they have gaping security holes, and don’t have the budget to fix it.
In addition, whilst the vast majority of the SAP installed base are running on-premises “legacy” versions of SAP, SAP is focused on innovating in the cloud. In the cloud, most of these issues go away because SAP can control the environment, the versions, the fixes applied, and can have all customers running on a common set of settings which are updated to all customers. There is no incentive for SAP to invest in security for its installed base.
What can organizations do about this?
One approach is to invest in a big security audit, penetration testing, and best practices. Unfortunately this is extremely expensive, and only fixes the problem at this point in time. The reality is that most issues in SAP environments are cause because of incorrect configuration and wrong versions.
What if someone had built software which:
- Provides a template set of best practices across all these areas, which can be tailored to your specific requirements
- Can either automatically apply these best practices to systems, or can automatically audit systems every day
- Instantly alerts you when a system is out of compliance and captures changes
- Delivers upstream service tickets so security issues have an associated incident
Want to learn more? contact us for your own private demo
5 Ways SAP MSPs Can Set Themselves Apart From the Rest
The upwards trend of cloud adoption, not least in SAP environments, across multiple industries...
5 services only innovative SAP MSPs can offer
With the sheer volume of SAP MSPs that are active in the market right now, finding one that’s a...
The Most Severe SAP Security Risk is Out, Are You Protected?
SAP has just released the highest severity security notice of 2019. What can you do to protect your...