Enterprise giant SAP's systems take a probe to the wobbly bits - report

For clarity, "SAP Router" is software, not hardware, and should be sat behind an industrial-strength firewall. Anything else is pure incompetence and the SAP Basis responsible should be sacked.

Nothing new here

We've been able to find SAP systems through internet searches since the days of ITS and early SAP Portal. It would have been a trivial matter to try some default user accounts.

Other posters have commented on the reality of the tests & possible scaremongering tactics. For all their sins SAP does generally produce reasonably secure software. The problem is that most of those paid to secure it do not understand how to secure the assets using standard delivered SAP functionality and standard security techniques.

For me, there's a whole load of things wrong with this article.

First, people need to understand what a SAP router is. It is a piece of software which is designed to let SAP connect to your systems for support purposes. There are 85k SAP customers running these sorts of systems and most have several SAP routers. I'd expect there are around 250k SAP routers around the world.

Then you have to understand that SAP routers are designed to provide connectivity information for what SAP system to connect to - hence the word "router". They are also a primitive firewall and herein lies the problem because lazy administrators use them as a router and firewall and expose them to the internet.

This is stupid and irresponsible and a huge business risk to an organization. SAP routers do not provide protection and you need to use proper routers and firewalls. This is well documented and there are design guides for SAP routers that explain all this.

As the guy below says, those lazy administrators (3% of SAP routers) should be fired.

Then let's cover off the SAP systems that are out there. There are, as I said, around 85k ERP customers, most of which have many SAP systems. It's not unusual for larger customers to have hundreds, and this means that there are millions of SAP systems out there, and many different versions and patch levels.

SAP do of course release security fixes but the code base is huge and there are relatively few penetrations. I worked with a SAP defense customer some years back and they said they broke the SAP security protocol in 15 minutes. I looked worried and they said "Oh don't worry, 15 minutes is actually pretty good, your competitor took 30 seconds. We just have some rather good hackers".

But what this means is that the SAP stack has been poked at by some pretty good white hat hackers. The problem is that many customers don't apply fixes to server operating systems, databases or application layers, leaving all of them open to security flaws. As usual, this is the real risk.

What I really don't like about this article is that it gives a security vendor a load of publicity, when they have totally failed to understand the security threat and helped customers address it. This is the point of security advisory services and they have totally failed.

In case anyone thinks I'm pro-SAP, I made sure to give them a boot too - their security response is not adequate.

http://scn.sap.com/community/security/blog/2013/11/13/security-of-the-saprouter

John