SAP Security Solutions for the Retail Industry
Feb 13, '23 by Joerg Schneider-Simon
Retailers face multiple (and growing) challenges in a highly competitive marketplace. To meet these challenges, many retailers turn to SAP to transform the customer experience across every channel while improving sustainability across the entire value chain.
A whopping 95% of the most successful retailers in the world run SAP solutions. The trouble is, hackers know this, too.
SAP in a retail environment is a prime target for hackers, meaning you must harden its security.
How? First, you must learn about the biggest SAP security threats facing retailers today. Then you must deploy the right mix of SAP security solutions for the retail industry.
Two Growing Threats to SAP Security
Backdoors
When researchers identified the critical vulnerability in Log4j in 2021, it was a wake-up call for many companies. Log4j is a shared component used in many commercial applications - and SAP’s Java based applications were affected too because Log4shell, one exploit of the Log4J vulnerability, gives unauthorized users a backdoor into SAP systems.
Also recently there have been three vulnerabilities identified that can be exploited from the Internet with no authentication, allowing hackers to steal confidential information, hijack user sessions or username/password combinations, and perform DoS attacks. These vulnerabilities are:
- CVE-2023-016: A SQL injection vulnerability allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database. The vulnerability was assigned a CVCSS score of 9.9
- CVE-2023- 0022; A code injection vulnerability with a CVCSS score of 9.9. if exploited, an attacker can perform operations that may completely compromise the application.
- CVE-2022-41267: a vulnerability with a CVCSS score of 9.9, allowing attackers to upload and overwrite files to the OS-layer, enabling the attacker to take full control of the system
- CVE-2022-22536: a memory pipes (MPI) desynchronization vulnerability that received the highest CVSSv3 score of 10.0.
Lastly, a vulnerability in the SAP Supplier Portal application allows anyone to register an RL account and access the SAP app.
Developer Risks
Software developers are a growing area of increased risk because SAP applications these days require a great deal more customization of the SAP code. Each customization potentially introduces new vulnerabilities. Traditionally, SAP developers focused on the business logic only, sometimes omitting required authorization checks or the proper sanitation of user input. Also, cloud applications tend to be connected to external apps, creating both a people and a technology vulnerability.
In some instances, developers create code that retrieves data at the program level without notice of any physical entity taking that data.
To minimize this type of vulnerability, companies need to make sure security is part of the application’s requirement and not an afterthought. Code reviews and state-of-the-art static analysis tools further contribute to minimizing developer risks.
3 Ways Retailers Can Protect Their SAP Systems
Continuously Monitor Configuration and Authorization Changes
“One area of vulnerability is configuration changes or authorization changes that happen in the system and that are sensitive in nature,” says Akhil Seth, SAP Security Consultant for a multinational retail corporation. “These include somebody gaining access to critical HR data tables (such as salary information and personal information). If somebody gains that access without authorization, or somebody gets administrative access to assign anything to themselves, they can perform malicious activity.” One way for an attacker to achieve this would be to exploit a SQL-injection vulnerability like CVE-2023-016. Seth continues: “This requires that retailers perform continuous monitoring of configuration and authorization changes in real time.”
Monitor Key Transaction Codes
If somebody, for example, uses the user management transaction without authorization and creates a dummy user in the production system, they can then do whatever they want. This is a massive risk, because someone who has development rights can access development in production and write a piece of code that can be exploited for malicious activity.
Retailers must employ transport management processes and other measures to review transaction codes as a procedure. If retailers can do this in real time, even better.
Detect Exploitation of SAP Notes and Misconfigurations
“SAP has bugs in its system. This is why, when retailers are either testing or implementing a new product, they work with SAP to see if their work creates any vulnerabilities,” says Suresh Gandu, ERP Security with the same multinational retailer.
He adds, “Then they ask SAP to remediate these vulnerabilities. SAP then comes back with pilot SAP Notes and asks the retailer to test them. In this way, any new exploit can be handled at the SAP level in a proactive manner. Retailers want SAP to be proactive and give retailers SAP Notes to vulnerabilities as quickly as possible.”
The key thing to remember is that nobody should get access directly into the system without the retailer’s notice. And if they do, the retailer must be alerted immediately.
How Retailers Can Stay Competitive While Staying Secure
– Akhil Seth, SAP Security Consultant
“Two vital areas of concern for retailers are inventory and the way retailers interact with their suppliers,” says Seth. “There shouldn’t be any vulnerabilities in a retailer’s SAP solution that allow unapproved suppliers to see sensitive customer and company data in the retailer’s system.”
Potential suppliers who are in the bidding process, for example, and who are not yet approved vendors, must never gain access to information that’s sensitive in nature. Protecting access to sensitive information, such as supplier and customer data, is vital.
Many of these processes with suppliers and partners include the transfer of files of various types (think product data, marketing content, images, etc.). Ensuring these files do not present a risk for the SAP users or the SAP application itself is critical.
Bowbridge can be your trusted partner in securing your retail SAP systems against file-based attacks, including malware, active-content, file-based cross-site scripting (XSS) and many more. If you want to learn more about how prepared your organization currently is to withstand these attacks, take the SAP Cybersecurity Self-Assessment.
Share this on social: