by Divya Agrawal

SAP enterprise applications are the core of any large scale company. ERP and other business critical applications based on SAP are being used in innumerable organizations around the globe.

It enables all the critical business processes, from procurement, payment, and transport to human resources management, product management, and financial planning. All data stored in ERP systems have a great importance and any illegal action could result in enormous losses and even termination of business processes. Despite its importance, SAP’s criticality has not been discussed as much as other platforms like android.

These business applications store critical corporate data which if gets leaked or manipulated, could prove to be a disaster for any company. Such systems are specifically targeted by hackers or competitor companies to leak trade secrets and financial data.

According to SAP cyber threat report by erpscan, there are many such common problems when it comes to SAP security.

  • Lack of qualified specialists - SAP specialists in most companies still consider SAP security as a SoD matrix only, whereas security officers hardly understand SAP threats, not to mention methods and approaches of preventing them.
  • Wide range of advanced configurations - There are more than 1000 parameters in a standard system configuration, plus a great range of advanced options, not speaking about segregation of access rights to various objects like transactions, tables, RFC procedures, etc. For instance, just web interfaces to access the system can amount to several thousand. Securing a configuration on this scale can be hard even for a single system.
  • Customizable configuration - You can hardly find two identical SAP systems because most parameters are customized for every client. Furthermore, most companies develop custom programs, which security also is to be accounted for in a complex assessment.

Since it’s inception more than 3500 SAP security notes have been released and now because of cloud and mobile technologies, these vulnerabilities can affect thousands of companies which are running vulnerable services of SAP. Just to remind you, we are talking about SAP here, a system that more than 80% of the fortune 500 companies use in one or other way.

There have been many major attacks in the recent past on SAP based systems. Some got the media attention but almost 90% of the data breaches go unnoticed in SAP environment because the employees or security officer (CISO) are not aware of different techniques used to exploit and gain access to a SAP system or database since it is different from the traditional attack process on web applications.

In 2012, the Greek ministry of finance was attacked by the Anonymous group. Anonymous said they had accessed IBM servers and that they obtained a SAP zero-day exploit. The Anonymous group claimed to have stolen Greek Ministry of Finance confidential documents and credentials.

In 2013, the world witnessed the first malware which targeted SAP and also banking applications. Nvidia customer service website was also attacked due to a vulnerability in SAP application which Nvidia didn't patch even after years. Since then, hundreds of other SAP portals and applications have been hacked mostly due to technical inefficiency when it comes to understanding security risks in SAP environment.

SAP applications exposed to the Internet can easily be found out using Google dorks and even Shodan.


Divya Agrawal