Security and Compliance for Web-Facing SAP Applications
Oct 14, '20 by Joerg Schneider-Simon
Are your web-facing SAP applications vulnerable to total compromise by a remote, unauthenticated attacker?
They may be less secure than you think: As it turns out, a recently identified SAP vulnerability can be accessed via internet-facing applications.
In July, 2020, SAP issued patches to fix a critical vulnerability (CVE-2020-6287) that affects an estimated 40,000 SAP systems, including SAP S/4HANA, SAP Enterprise Resource Planning (ERP), SAP Product Lifecycle Management (PLM), SAP Customer Relationship Management (CRM), SAP Supply Chain Management (SCM), SAP Enterprise Portal and SAP Solution Manager.
This vulnerability is caused by a lack of authentication in a web component (LM Configuration Wizard) of the SAP NetWeaver AS for Java versions 7.30 to 7.50.
Attackers can exploit this vulnerability through an HTTP interface, the type of interface that is commonly exposed to end users and often to the Internet.
“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,” says the US Cybersecurity and Infrastructure Security Agency.
This latest vulnerability is a sober reminder of the need for organizations to harden their web-facing SAP applications against cyberattacks, and to ensure that they are in compliance with regulations governing privacy of personal data (HIPAA and Sarbanes-Oxley, for example).
SAP Applications Most at Risk
Modern SAP applications are commonly exposed to untrusted users, untrusted networks, and untrusted devices. This requires organizations to implement robust security controls on the data that flows in and out of these applications.
SAP CRM, SRM, and ERP are prime targets for cross-site scripting (XSS) attacks, injection attacks, and directory traversal attacks. These attacks gain access through malicious user input into these web-based, externally accessed applications.
Also at risk are any SAP applications (such as S/4HANA and C/4HANA suites, SAP Analytics Cloud, SAP Data Hub and SAP Ariba) that use the SAP Fiori design language to make these applications available to remote users via the Internet.
How to Secure Web-Facing SAP Applications
To ensure the security and compliance of your web-facing SAP applications, you must defend yourself on two fronts—your system and your environment, usually with the help of third-party solutions.
Protect your system
Start with your Fiori apps. SAP Fiori is a set of apps that make the most frequently used SAP functions available to remote (often mobile) workers, customers and suppliers. These functions include workflow approvals, information lookups and self-service tasks. SAP Fiori makes SAP on-premise applications simple and easy-to-use access across desktops, tablets, and smartphones.
When deploying Fiori-enabled apps to devices on public networks, take these steps to boost security:
- Deploy a reverse proxy for Internet-facing instances of SAP Fiori
- Do not allow WDA and WebGUI apps
- Block access to the HTTP port on the NetWeaver Gateway server at the firewall
- Implement HTTP Strict Transport Security
- Allow access to critical FIORI apps only over VPN
- Activate MIME-type integrity checks on your SAP application
- Encrypt all system connectivity
- Only activate the necessary ICF nodes and OData services for the Fiori apps you intend to use
- Keep all web-facing applications up to date with the latest security patches
If you use SAP Web Dispatcher to protect your web-facing SAP applications:
- Deploy a web application firewall in front of the SAP Web Dispatcher to monitor and control all incoming HTTP requests
- Configure your SAP Web Dispatcher Routing to only forward requests to services in the Internet Communication Manager that are necessary to run SAP Fiori apps
- Implement redirections from HTTP to HTTPS URLs in Web Dispatcher and ICM
Protect your environment
Ensure that your remote workers always:
- Use strong passwords on their mobile devices
- Never leave their devices unattended when in public
- Never use public wi-fi
- Stay aware of their surroundings, particularly when entering login credentials in public
Improve your security with third-party solutions
SAP applications face a multitude of cybersecurity risks because 77% of the world’s transaction revenue touches an SAP system. SAP systems process and store the highly sensitive data that enterprises need to manage customers, employees, and suppliers. This data includes financial results, credit card numbers, strategic plans, and intellectual property.
SAP applications are also vulnerable because of how they are built. Standard anti-virus programs, for example, cannot recognize or address SAP cybersecurity threats. And with more workers than ever using SAP Fiori to work remotely, the threats to SAP applications are only increasing.
That’s why choosing a third-party solution is necessary to safeguard your web-facing SAP applications. A reputable SAP cybersecurity solution saves your business time and resources while improving your defenses.
A good third-party solution will:
- Detect and block malicious user input from SAP applications, both real-time and in-memory
- Plug directly into the SAP Internet Communication Manager, needing no changes to the application code
- Retain end-to-end encryption
- Detect and block malware in file uploads, even if hidden or otherwise camouflaged
Application Delivery Controller for SAP Solutions
Application Delivery Controller by bowbridge is the only software-based Application Delivery Controller for SAP applications. It ensures the availability, integrity and performance of web-facing SAP applications for on-premise and cloud-based SAP implementations.
Application Delivery Controller eliminates one of the most common complaints against cybersecurity measures—that they decrease performance. Application Delivery Controller protects against attacks while improving the user experience and application server resource-utilization.
Application Delivery Controller:
- Deploys easily in the cloud and on-premise
- Improves security
- Delivers unprecedented visibility into your performance and security posture
- Improves compliance
- Integrates with SAP and enterprise security tools
- Delivers improved user experience and performance
For more information, contact us today!