SAP Security Notes: Why They Still Leave You Vulnerable
Jun 28, '18 by Joerg Schneider-Simon
It’s no surprise that SAP is one of the most widely used business platforms in the world, considering how wide-ranging and versatile it is.
And as a responsible company, SAP works hard to push out patches, called “security notes” in SAP-speak on a regular basis, to make sure that their clients’ systems are as up-to-date as possible.
So … your system should be perfectly safe, right?
Well … no. Not even close.
As it turns out, there are multiple reasons why SAP security notes are nowhere near enough to keep the average SAP system safe and running well.
But first, let’s look at how SAP manages their security notes.
What SAP Does (and Doesn’t) Do
As mentioned, SAP is a behemoth of a system. And with any system this massive, it’s no surprise that vulnerabilities, both large and small, occur. Sensibly, SAP devotes most of its focus to high-risk vulnerabilities. To date, SAP has released over 4000 security notes (269 of them in 2017), adding an extra 20 or more every month. Like clockwork, SAP releases its security notes every month, along with any needed patches.
From there, it’s up to each company to install their own patches.
And that’s where things fall apart.
The Problem With Patches
Ironically, when SAP patches come out, there is a window of increased vulnerability. This is because once cyberattackers are alerted to the vulnerability, it’s simple from there to figure out how to reverse-engineer the fix and exploit the vulnerability.
If everybody applied the patches as soon as they were released, this wouldn’t be as much of an issue. But they don’t.
We spoke with Joris van de Vis of ERP-SEC, which offers Protect4S, an SAP-certified add-on that gives customers insight into the security status of their SAP systems. He confirmed, “Most SAP customers do not regularly apply the SAP security notes.”
This assertion is borne out by a survey Protect4S conducted, which showed that fewer than 30% of respondents apply SAP security notes every month. Most apply them every six months, and an alarming 13% don’t apply them at all.
Why is that?
“The truth is, it’s a lot of work,” says van de Vis. “It’s not like an operating system on your home computer that gets updated automatically with the click of a mouse. You have to apply each patch manually, in every system where you want to apply it. And if we’re talking about 20-30 patches per month … do the math. It can take hours to apply those.”
Of the companies that don’t apply notes, the reasons why are enlightening: Half of the respondents indicated the reason they don’t apply security patches is because they’re afraid of breaking something.
“Because SAP is such a business-critical system, if it goes down, all hell breaks loose,” explains van de Vis. “They cannot ship, they cannot send out invoices, they cannot do their administration. Plants could come to a standstill. In reality, 99 out of 100 times, implementing a security patch will go fine. But there’s still a risk that an SAP security note could break a business process, no matter how vigorously SAP tests it.” One major reason for this fear is because of a lack of personnel with specialized SAP knowledge.
How to Protect Your SAP System
The first step to making sure your SAP system is protected is to be diligent about applying security patches. According to van de Vis, there are three very important things to remember about security notes: “Patch often, patch quickly, and patch everything.”
Applying those patches (or getting Protect4S to do it for you automatically) is an excellent way to reduce the odds of cyberattackers exploiting vulnerabilities in your SAP system.
However, applying security patches is only one part of the picture. System security is also affected by SAP infrastructure such as parameters and configuration settings, as well as by malicious files or cyberattacks that can slip past OS-level anti-virus programs.
“The SAP security notes only deal with bugs and vulnerabilities in the software. But they don’t protect you from malicious content coming from other sources. They don’t protect you from architectural flaws in your system that might lead to unwanted people getting access. You still need to look at any malicious files that flow into your system via email or workflow, or otherwise,” explains van de Vis.
Checking dozens (if not hundreds) of parameters and configuration settings on a regular basis, while also applying patches regularly, while still protecting the system from malware is proving to be a massive task – one beyond the capabilities of a large number of organizations, causing them to turn to third-party solutions like Protect 4S or bowbridge.
To contrast with security patches that are only applied monthly (at best), bowbridge Anti-Virus for SAP Solutions automatically checks for virus signature updates and scan engine updates in configurable short intervals of only a few minutes, applying them as soon as they become available.
By applying security patches regularly and combining it with a comprehensive anti-virus solution that is designed solely for SAP, companies can maximize their protection and keep their mission-critical SAP systems safe, secure, and working the way they should.