SAP applications more vulnerable than users might think

Many application owners are unaware of how vulnerable their SAP applications may be, significantly increasing the risks to their core enterprise systems. This is the overall conclusion of a Turnkey Consulting and Onapsis report.

Only 14.3% of respondents believe an external attack is the greatest risk to their SAP environment, despite digital transformation, cloud-first approaches and mobile access increasing the levels of external threat faced by SAP systems. 40.8% believe internal fraud is the biggest threat, 26.5% say a data loss or breach, 12.2% opt for systems downtime and 6.1% are not sure.

SAP applications vulnerabilities

The average SAP customer will have around 2500 vulnerabilities within their custom code (programs created to tailor the SAP system for their specific needs), but 36.7% of respondents don’t review this code for security and quality issues.

36.7% carry out reviews, but do so manually, an approach that is slow and error-prone. 32.7% do not review code developed by third parties before it is imported into their SAP system, while 20.4% are not sure whether they do.

The 36.7% of survey respondents that had experienced downtime in their SAP landscape as a result of coding issues highlights the vital importance of review activity.

The research covered a range of questions that looked at how prepared customers were to deal with outside threats; most specifically it explored the perception that SAP systems are protected because they are within the internal network, and how this belief influences attitudes to external risks.

Other key findings

• 18.4% agree with the statement that ‘SAP is within our network, and so is secured against cyber threats’, while 26.5% are not sure. 51% do not believe this to be the case and 4% don’t know. It should be noted that those that are confident about being fully secured have the right tools and monitoring in place, or low levels of internet-facing activity.
• Only 28.6% can confirm they have an SAP vulnerability management program in place.
• Only 28.6% can say for certain that their SOCs has visibility into SAP security events – demonstrating the disconnect between SAP security and the wider IT security environment.
• 51% say their SAP systems are always up-to-date and updated with the latest patches – but 36.7% report this is not the case and 12.3% aren’t sure.
• 30.6% feel their user’s maturity and capability to manage cyber risk to the SAP landscape leaves room for improvement, with the same number believing it was only average.

This risk posed by these findings is highlighted by recent Onapsis research that showed SAP-specific threat actors are actively targeting and exploiting unsecured SAP applications and have the expertise and capabilities to carry out sophisticated attacks.

There’s still a long way to go

Tom Venables, practice director of application and cyber security at Turnkey Consulting, says: “A key trend, and continuous theme over the years, is the disconnect between the widely-acknowledged challenges of SAP security, and the broader understanding and management of IT risk in general, where tools and processes have evolved to respond to growing threats in a more comprehensive way. Closing this gap is critical if organizations are to protect themselves against the growing exposure to external threats.”

André Ros, director of EMEA alliances and channels at Onapsis, says: “Organizations are making progress in how they protect their SAP systems, but, as recent events in the news demonstrate, it’s still not enough. Traditional defence-in-depth strategies often fall short at protecting the business-critical SAP application layer.

“Onapsis Research has demonstrated that threat actors can exploit unprotected, unpatched business-critical systems in less than 72 hours after the release of an SAP Security Note. Better protecting this SAP application layer from vulnerabilities with the right technology, timely threat intelligence, impactful services, and improved internal processes will prove to be paramount to success.”

The report advises on addressing the gap in understanding with education, the adoption of a ‘secure by design’ approach and breaking down the silos that exist between the SAP estate and wider IT risk management.