Cross-site scripting, failure to check credentials, directory traversal and SQL injection make up more than three-quarters of vulnerabilities in SAP environments, according to a presentation by ERPScan's Alexander Polyakov to RSAConference Asia Pacific 2013. And the vulnerable state of the SAP world is increasingly attracting …
"And – whether it's because owners are lazy or updates are difficult – Polyakov said 35 percent of the systems ERPScan found were using NetWeaver 7 EHP 0, which hasn't been updated since 2005. Another 19 percent were running software that hasn't been patched since 2009, and 23 percent ran a version last updated in 2010"
So more than 50% of the ERP software in use is out of support. It's not laziness, let me assure you. See, this is even less than the number of failed/incomplete/out of budget/schedule big ERP implementations.
What happens really is that when business manage to deploy one of these monsters without making themselves disappear, they are unwilling to change anything, for fear of the house of cards breaking.
Unfortunately this is no surprise to many of us working in the SAP security field. SAP are working very hard to improve, unfortunately clients are struggling to care.
Some key themes:
1. Security admins main knowledge is around building roles/permission structures and user admin. The technical side is neglected (despite being covered quite well in certification) and there is a big gap.
2. Patching is time consuming and many organisations require full regression testing for each set of patches. Across 20 productive systems (each with a supporting application stack of 2-5 systems) covering a full scope of business processes that comes at quite a cost (though not as much as a breach of course).
3. IS teams rarely talk to SAP teams. SAP has been treated as a silo & there is a disconnect between IS and their SAP counterparts. Many SAP admins do not understand the impact of vulnerabilities, the IS teams struggle to use terms that the SAP guys understand.
Fortunately some people do "get it" and plenty of orgs are doing good stuff & SAP is committed to make it easy for people to do the right thing.
Disclaimer: I work for a company doing security for SAP
>Disclaimer: I work for a company doing security for SAP
Johnny Curious here.
Do you know how well PeopleSoft sites are managed wrt to security? Is there a demand for security consultancies on PeopleSoft?
Easy reason why
Most SAP Basis Admins are of the "Look ma! I am doing computing!" ilk with no real clue about what thinking for yourself actually means, instead being spoon-fed SAP's party-line and negating to do anything on their own initiative. And now they are getting their just deserts. Ha!
Not a big surprise but a very big issue
There is a disconnect between SAP technical / Basis people and the "New" world of mobile and internet with regards to security. The documentation, training, solutions are all there ready for use and the only cost is the time of implementation plus some hardware. The time of implementation and the fear of breaking the old ERP system due to patching is a problem though and very few companies have a strategy for keeping their SAP systems up to date.
Sometimes the lack of knowledge on how to secure things properly means that security becomes the excuse for not allowing internet access to the systems or mobile solutions. That lack of knownledge can be attributed to lazyness, fear of new things by the employees themselves and in the past poor solutions from SAP, something that is now no longer the main issue but once burned... So we as security consultants just stay in our comfortable role, doing what we do well and not venturing into unknown and dangerous territory, flagging security as our banner for blocking all the new things (like the internet, such a very new thing ;)
Slow And Painful
I am not surprised at the results of this survery; anyone that has had any work in this area should know about some of these issues.
The software gets loaded, the systems setup; and then the consultants start making changes. The instant that anyone then tries to do a patch, it all goes horribly wrong. This is made worse because so many of the consultants do not document their work, so no-one knows what has been done, by whom, when, where or how. As the AC above highlights, it then gets to the stage where the business just won't accept the risk and bans further updates.
For anyone that has had to work with SAP admin, the way that they provide support, updates, downloads etc is not the easiest to work with. Even once you have learned to navigate the support portal, it can take a lot of time to identify what you actually need. SAPnotes are supposed to make the information availbale, but in most cases they just seem to make the situation even more confusing; many times I've had to read my way through a dozen or more, just to try to understand what the proposed solution is meant to be.
I'd also highlight I've also seen that many consultants insist on implementing connections from the client to their own business; and these connections are generally very poorly managed. Consultants sharing connections, IDs, using SAP_ALL and advising clients to work the same way; I'm surprised that there aren't more issues (there may well be, but they just keep schtum about them.)
A number of consultancies have been agressively marketing their hosting facilties, in which they promise to do all the managment (for a fee). But in fact, all they do is run the SAP EarlyWatch reports and then suggest that the client's staff should be doing patching etc. even though the client has got rid of the staff that would have done the work because they outsourced to the consultancy.
But to my mind the worst of all is that so many consultancies promote themselves as experts to their clients, but then offer really poor advice, then blame it on the client when it doesn't work. When you get good consultants (and they are out there) they do a good job. But there are just too many out there that I wouldn't even allow on site, let alone touch the software.
For reference, I have worked on sevral SAP systems and undertaken a number of their certs, including the security & GRC.
Piffle! - SAP is inherent secure
ie - 'We cant get the data we need out of this pile of shit, how the fuck will anyone else.'