onapsis

Company Description

Onapsis is more than your typical application cybersecurity company. We’re different because our solutions help eliminate the costs and risks preventing you from building better, smarter and more dynamic applications, faster and more securely. We protect you at the core of your business, keeping the business-critical applications you depend on daily secure, compliant and available. Because we’re application-focused, we’re also deeply invested in enabling your future—helping you build in the cyber resilience you need to pursue digital transformation.

Featured Products

Multimedia Center

Interview with Steve Zalewski, Deputy CISO, Levi Strauss & Co.

Featured Content

A recent report shows that the attacks are now becoming more common and complex. Learn how to stay vigilant to avoid the new angles cyber attackers are incorporating while targeting ERP applications.
This article shares insights from SAP experts on what gets in the way of security patching, considerations to keep in mind when migrating to SAP S/4HANA, and best practices for building a security patching framework.

Articles / Case Studies / Videos

Recap of “Evolving Your SAP Security and Compliance Strategy in the Era of Cloud and SAP S/4HANA”

By Annie Kennedy, Associate Conference Producer Jason Fruge (JF)Vice President, Business Application Cybersecurity at ‎Onapsis, was the expert in the Q&A titled “Evolving Your SAP Security and Compliance Strategy in the era of Cloud & SAP S/4HANA,” which aired live on day 1 of SAPinsider's 2020 Virtual Conference ExperienceAlthough Jason is a more than 20-year security practitioner, he wasn’t familiar with SAP and what it does with organizations’ business functions for most of his career. A few years ago, he took advantage of a business risk illustration and was shocked that none of the security controls he’d invested in detected the threat. As he reflected on what a huge issue that was, how a company can’t have the resources to patch everything with rigor and must consider the most important applications and how those functions are protected, he was prompted to build a business case. He got funding to apply for the approved security process, and he was lucky to have a team that was interested in solving the security problem and understood the importance of finding new solutions.  The Q&A was moderated by SAPinsider's VP of Research and Publishing, Robert Holland (RH). Here are a few snippets from the conversation. Q: What sort of security challenges do you see customers facing as they begin to deploy the cloud? Is this a good time to evaluate their security? JF: People are beginning to host portions or all of SAP systems or data on someone else’s network. It’s a challenge in this shared model being responsible for securing your data, even on someone else’s network. What tools are you introducing will face that challenge. Organizations need to consider more than firewalls in an age of socially engineered hacks such as phishingYou have to actively educate people on what they can and can’t share. Another factor that weakens security is that SAP is more accessible than ever, put online so people can pull up data on their cell phones. Workplaces are remote during the pandemic, so there’s more cloud-based access of data, and organizations need to consider new modes to combat security threats or leaks.     Q: What is the biggest thing a security lead should know or do before starting a move to S/4HANA?   JF: Have a meaningful conversation with the team about how they plan to organize and access data in this new environment, what level of risk can be accepted, and what security strategy can be comprehensive enough to protect what’s most important to them.    Q: What steps should SAPinsiders take to ensure security?  JF: People-process or technology-process, but companies need a holistic strategy that accounts for both. Organizations should look beyond user authorizations; see if the configurations are secure, patches installed, programs updated, etc. Hackers have a lot of incentive to break into SAP systems. 77% of the world’s financial transactions and 78% of the world’s food distribution go through some form of SAP technology; it’s not an enterprise security problem but a national security problem that could have a devastating impact. It’s important to have a strong security system in place. RH: Warehouses and packing plants being shut down by the pandemic had an immediate impact on supermarket stock. Imagine the issue if someone deliberately attacked our global supply chain. Everyone needs to take notice and ensure the chain is resilient.  How would your company be affected if your supply chain was taken down? It’s a great conversation piece that everyone should discuss.    Q: Are there vulnerabilities people might not be considering, and how important is the security of the HANA database itself?   JF: SAP is installed on an operating system.  The fastest way to manipulate the SAP application is within the operating system; secure the OS first, then the application next.     Q: How can an internal audit function best partner with the IT organization during a move to SAP S/4HANA?   JF: Have a good relationship with the architects so they can identify any gaps during production rather than retroactively. Strong relationships are key! We can also automate a lot of the audit, so when they come in to do them, we can arm them with information without having to stop their work to support the audit.     Q: Is there an easy way to apply the SAP security patches that get sent out, and iSAP Solution Manager the best alternative?   JF: SAP Solution Manager is a fine way to get patches done but it has limitations; it’s an honor system where you check a box and say you applied a patch, but it may not have been applied appropriately. Onapsis’ solution actually tests the patches to be sure they were applied appropriately. Applying patches is a challenge; SAP will give priority scores to patches, and you have to translate the impact of that on your own organization, because what’s high priority for them might be low for you and vice-versa. There’s no quick solution, but the capabilities to put on patches from a technology perspective is the easy part; the business analysis that goes into that decision is the harder part.   

view

Case Study - Global Advertising Company Saves Time and Money by Migrating to SAP HANA with Onapsis

THE CHALLENGE: Migrate SAP ECC to SAP HANA while ensuring security and compliance. THE SOLUTION: The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance Many large companies rely on SAP as a key component of their business. Learn how a Global Advertising company saved time and money by migrating to SAP HANA one year ahead of schedule.

view

Threat Report: 10KBLAZE

In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE in the past, their public release significantly increases the risk of successful cyberattacks against SAP implementations globally. Given the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis has decided to open-source components of The Onapsis Platform and make intrusion detection signatures immediately and freely available to all SAP customers. Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring and remediation of affected organizations globally. Check out the full threat report with information about how to determine if you are at risk and steps to take for remediation.

view

Top challenges of a CIO

The Chief Information Officer (CIO) holds responsibility for all IT decisions affecting the company, a task that has increased in complexity in recent years. This e-book reviews five challenges CIOs face when dealing with SAP security, including recommendations for overcoming these challenges.

view

The Secure Transformation to SAP HANA

Is SAP HANA really the new big thing? Developed in 2008 by the Hasso Plattner Institute and Stanford University, SAP HANA was introduced in 2010—in the same year as the iPad. It's hard to imagine our lives without the latter, but the adoption of SAP HANA technology is advancing much more slowly. SAP has approximately 380,000 customers and as of the end of 2017, only 8,000 were using SAP S/4HANA1, the application that seamlessly builds on the platform and has existed since 2015. Looking ahead, however, exponential growth is inevitably just around the corner. SAP systems that are not based on SAP HANA technologies will most likely no longer be supported after 2025. With a quick glance at a calendar, it quickly becomes clear that now is time to initiate the complex and long transformation to SAP HANA. Although the deadline is a clear motivation for the transformation, the focus for organizations should be on the opportunities that SAP HANA offers. When properly planned and implemented, the switch to SAP S/4HANA can be an important milestone toward a digital enterprise.

view

High Profile Vulnerabilities in SAP Applications and How to Be Prepared

By Juan Perez-Etchegoyen, CTO, Onapsis Enterprise Software is complex due to its nature and interconnectivity to business processes. On top of that, software is made by humans, which means that regardless of how much we want to avoid it, bugs will be there and not uncommonly... critical ones. This holds true for many software vendors such as Microsoft, Apple, Oracle, Intel, Adobe, VMWare...and also SAP. What all of these vendors also have in common is how they deal with the patches that solve those vulnerabilities, through what is called the “Patch Tuesday.” Patch Tuesday happens to be the second Tuesday of every month and has now become a standard day where large software makers release the fixes for security vulnerabilities in their software. In this manner, patches are released in a coordinated way providing organizations’ IT departments the opportunity to be prepared. Even though it is impossible to know if the number of patches a vendor is releasing will be 0, 1 or 10, at least these IT teams can better expect the unexpected, knowing that the second Tuesday of every month, there's potentially going to be a bunch of things to fix across the board.

A Positive Trend

But what about the applications that support your most critical business processes and hold your crown jewels? IT Admins have been dealing with Patch Tuesday for the last few years and getting used to the overhead of patches being implemented. But the SAP BASIS teams, who manage your SAP applications and ensure availability and uptime of applications, have been slowly adopting this patching process, because the cadence of changes within SAP applications is completely different in organizations, as compared to, for example, the ability to react and apply a patch in a windows-based host. Requesting a change management window is not a simple thing for SAP applications that run and support the most critical business processes of your organization. But, that's been changing over the past few years, especially driven by a broader awareness of the need for cybersecurity controls around SAP applications. Additionally, even though the overall number of SAP Security Notes has been slowly decreasing over the years, due to SAP strategies to package and simplify customers' adoption of patches (for example multiple vulnerabilities fixed through the same patch), there's been an increasing number of patches addressing critical vulnerabilities (HotNews in the SAP world). As seen in Figure 1, the evolution of SAP Security Notes shows a decrease in the total number of patches as well as an increase on the HotNews over the past 5 years. This data does not consider the potential upcoming SAP Security Notes or HotNews in the remaining 4 months of 2020, which could change the trend too. Figure 1: Evolution of SAP Security Notes over the past 5 years Figure 1—Evolution of SAP Security Notes over the past 5 years   Besides the number of total and critical SAP Security Notes, over the last years, SAP increased the response time to deliver security patches, especially important for critical vulnerabilities, which shows an increasing focus on response time to critical issues.

Going Over Some Examples

In the next sections, we will go over some of the most recent and relevant examples of vulnerabilities, misconfigurations and exploits affecting SAP applications. The ones that are highlighted in this article are the ones that historically generated CERT alerts due to the criticality of the issues.

RECON Vulnerability

CVE-2020-6287 Type: Software Vulnerability CVSS: 10
Threat Report: SAP RECON Cybersecurity Vulnerability
  On July 14th, 2020, SAP released its regular set of security patches, including the patch for a critical Common Vulnerability Scoring System (CVSS) 10 vulnerability, which was identified and reported to SAP by the Onapsis Research Labs. This vulnerability allows any unauthenticated attacker to completely compromise the SAP application through the Web service, which could be internal or Internet facing. Passive scannings of the Internet provided indicators of over 2500 vulnerable and exposed SAP Applications before the patch was released. This proves the broad attack surface that the vulnerability opens by measuring the amount of Internet-facing applications. Besides that, there are potentially thousands of internal SAP applications also exposed as almost every SAP customer was affected by this vulnerability due to the mandatory nature of some specific JAVA-based products, such as the SAP Solution Manager. Figure 2—Distribution of Internet-facing systems Figure 2—Distribution of Internet-facing systems   This vulnerability got the attention of a number of International Computer Emergency Response Teams (CERT) who released alerts to their audiences in many different countries. Some examples of these are the US-CERT, through the alert AA20-195A and the BSI CERT-bund through the CERT Bund -Meldungen - CB-K20/0690. The reasons why alerts were issues are related to the following aspects of the RECON vulnerability:
  • A broad attack surface both internal as well as Internet-facing.
  • No prerequisites for exploitation, anyone with network access can exploit it.
  • Full compromise can be achieved by the attacker.
  • Due to the critical nature of SAP applications, business data could be exposed.
SAP Released several SAP Security Notes to address this issue and will continue to update them as more facts become known about the vulnerability and its impact. If you have not applied the SAP Security Note 2934135 or the mitigation through SAP Security Note 2939665, it is highly recommended to do so to reduce the risk of exploitation, as threat actors are already exploiting it through both manual as well as automated campaigns.

Invoker Servlet Vulnerability in SAP Applications

CVE-2010-5326 Type: Combination of Software Vulnerability and Configuration CVSS: 10
Threat Report: The Tip of the Iceberg: Wild Exploitation & Cyberattacks on SAP Business Applications
In 2016, the Onapsis Research Labs identified indicators of exploitation and compromise of dozens of organizations who were exposing SAP JAVA applications to the Internet, without properly taking care of vulnerabilities or misconfigurations. The Invoker Servlet vulnerability in SAP JAVA applications, which was patched by SAP in 2010, was still a prevalent issue amongst SAP installations in 2016 and it opened a significant attack surface that threat actors were using to compromise SAP applications. With several publicly available exploits to abuse this vulnerability as well as detailed information on how to exploit it, the Invoker Servlet became a very critical issue for SAP applications and because of the criticality as well as the fact that threat actors were actively exploiting it, the very first US-CERT alert around cybersecurity for SAP applications was issued in May of 2016: the Alert TA16-132A. Figure 3—US-CERT Alert highlighting an SAP security issue Figure 3—US-CERT Alert highlighting an SAP security issue   What made this issue hard to patch is the fact that it is not a pure “software vulnerability,” but is a combination of a software vulnerability and a configuration of the system. So even if organizations fix the issue, it can come back if proper controls are not in place. Even though the issue was fixed almost 10 years ago, and the US-CERT alerted organizations 4 years ago, Onapsis still sees the Invoker Servlet vulnerability in SAP applications between 10-20% of its assessment engagements. This provides another data point around how organizations struggle with applying patches, even the most critical ones. SAP Released SAP Security Notes to address the issue in 2010 and after the US-CERT alert was released:

10KBLAZE Vulnerability

CVE N/A Type: Security Configuration CVSS: 10
Threat Report: 10KBLAZE threat report
In 2019, another cybersecurity vulnerability got top level visibility across SAP customers: the 10KBLAZE vulnerability. This issue is not actually a software vulnerability as the ones seen in the previous examples but instead it is a security configuration of a key component of SAP ABAP-based systems: the SAP Gateway. This component is in charge of communicating SAP applications and if not properly secured, it could expose the entire SAP system and potentially its connected applications. The security settings of the SAP Gateway were known and documented for years, however SAP customers still struggle with securing that component. In May, 2019, public exploits were released at a security conference, making this issue more critical as it significantly increased the probability of exploitation, even for internal systems. US-CERT raised an alert in this case too: AA19-122A providing details about the vulnerability, the exploits and some potential mitigations. SAP released SAP Security Notes years before the release of the exploits, to address these configuration issues:

Becoming Proactive with Cybersecurity for SAP Applications

With a security-by-design program you have visibility into your business-critical application environment, the ability to assess for vulnerabilities, prioritize and fix them, prevent configuration drift and detect potential malicious attacks or internal misuse. This program starts by establishing security baselines when assessing and monitoring code, configurations, and aspects of your business processes throughout development and carried through to production. Figure 4: A programmatic approach to security and compliance for SAP Applications Figure 4—A programmatic approach to security and compliance for SAP Applications   In working with some of our largest customers, Onapsis has identified the following key value drivers in defining and implementing an effective security program for your business-critical applications:
  • Protect your SAP systems from external attacks and internal misuse by mitigating risk
  • Streamline and automate compliance and audit processes to reduce manual effort and minimize inconsistencies
  • Devise and implement a cross-functional program that meets the needs of your ERP, compliance and security teams so the impact is continuous and risk management is effective
  • Accelerate your key business initiatives such as cloud migration, S/4HANA implementation, digital transformation or technical upgrades with reduced risk

view

Simply Securing a System Is No Longer Sufficient

By Robert Holland, VP Research, SAPinsider Securing an SAP system used to involve checking access and process controls and ensuring that the most recent SAP Notes had been applied. Now it involves not only ensuring that the system itself is up to date but must address cybersecurity and compliance issues as well.

The Threat Landscape for SAP Systems

A few years ago, the most critical systems that SAP customers needed to secure were SAP ECC and SAP NetWeaver and the on-premise applications to which these connected. However, as organizations have started digital transformation projects, security and compliance have evolved as has the risk and threat landscape. Organizations may now be in the process of migrating to SAP S/4HANA either on SAP HEC or with a public cloud provider, as well as consuming SAP Cloud Platform using Cloud Connector and utilizing data from solutions running though SAP SuccessFactors, SAP Ariba, or SAP Concur. And as they grow through acquisitions, or simply because they are running both SAP and non-SAP solutions, they may find they need to integrate solutions from Oracle, Salesforce, and Workday into their SAP landscapes. This complexity of applications, and the complexity of integrating these systems, also complicates the security landscape. But even as organizations ensure that they are working to detect and control the risks in their landscapes, as well as defend them against potential intrusions, they also need to ensure that they are addressing increasing compliance requirements. To gain a better understanding of how this is impacting SAP customers,  SAPinsider recently spoke with Juan Pablo Perez-Etchegoyen, CTO of Onapsis, about security, compliance, and the trends he’s seeing from SAP customers around the world.

Making Your Systems Secure and Compliant

According to Onapsis’ Perez-Etchegoyen, the threat landscape for SAP systems is growing. For example, since the RECON vulnerability was addressed by SAP in July, there has been an uptick in sources exploiting that vulnerability across the internet. “Most of the time it’s not as simple as a patch, because the process of deploying the patch requires a downtime window which introduces a lot of friction with the business,” said Perez-Etchegoyen. This downtime window means that someone needs to decide when the system will be offline. And any mitigation can also have a different impact when they must be applied per node or per system, or when the weakness can still be exploited via user credentials. According to Perez-Etchegoyen, “because these are business applications the complexity levels require the right technology and focus to keep them secure.” A big trend that Onapsis is seeing is that of not only keeping systems secure but ensuring that they are also compliant. “Regulators realize more and more the need to include cybersecurity as part of system control because in large enterprises SOX compliance is critical,” said Perez-Etchegoyen. He sees both regulators, auditors, and the compliance ecosystem really starting to pay attention to cybersecurity specifically when it comes to SAP applications. This is especially true when it is covered by some sort of compliance regulation. “Somewhere, these organizations will be covered by a compliance regulation, and so they’ll need to make sure that they have tools in place to measure that and ensure that they are meeting those regulations,” added Perez-Etchegoyen. This is where having a security and compliance solution can make an impact in an organization. Onapsis’ offering in this space, The Onapsis Platform for Cybersecurity and Compliance, provides four main functionalities to assist organizations: Assessment, so that risks can be detected; Control, so that a risk can be prevented from being introduced; Defend, so that a user has the right visibility when risks are identified; and Compliance, which automates the compliance posture to address compliance needs. Any risks found can then be completely transparent to the end-user who can readily address the issue. This also extends to the cloud, where the data consumed in a cloud instance is still the responsibility of the customer. Even with SaaS applications like SAP SuccessFactors where patching isn’t an issue for the end user, there may still be data issues because of the complexity of services, modules, components, and customizations that organizations don’t have visibility into. And the more that any functionality is customized, the more difficult the application is to secure and ensure compliance.

What Does This Mean for SAPinsiders?

As organizations accelerate deployment of cloud-based technologies, something which 99% of the SAPinsider Community say they are already running, the security and threat landscape within an organization must be extended to include these new systems. At the same time, these systems must also follow compliance regulations like GDPR, SOX, and CCPA. What steps should you be taking to make sure that your systems and data are secure?
  • Determine your security and compliance plans before deploying applications in the cloud. “Adopting security and compliance policies when migrating to the cloud provides an acceleration of timelines,” says Perez-Etchegoyen. If these policies aren’t in place in the beginning, organizations will need to come back and implement them which causes delays. Having policies in place early helps ensure a faster and more secure adoption.
  • Investigate which regulations impact your organization and implement plans for ensuring compliance. With the growing prevalence of regulations for data and financial governance, organizations need to know exactly which ones impact them, and how they will ensure that they meet those standards. Given that these standards may come into play even if they only work with a vendor or have a customer in a region impacted by these regulations, knowing the extent of regulations and having plans in place to comply to those is very important.
  • Carefully examine your existing security tools to determine whether they will meet future needs. While most SAPinsiders ensure that their systems apply critical SAP Notes and patches, SAPinsider research showed that the top driver around enterprise security was a demand for a more holistic security strategy. In addition, a key action they were taking was that of building an integrated security strategy. Both these steps suggest that most organizations current security strategy does not fully meet their needs, so examining what they are doing from a security standpoint and what they will need for the future, particularly when moving to the cloud, is critical.
  • Implement training plans for internal security and compliance teams. Although solutions like The Onapsis Platform do not require every user to be a cybersecurity expert in order for the organization to gain significant benefit, ensuring that compliance teams and SAP security officers have the appropriate training can help provide a greater benefit for the organization. And while benefits will be gained in the security tools being used, they will also extend to the whole organization as they help SAPinsiders prepare for future regulation changes and compliance and security challenges.
About Onapsis

Based in Boston, Massachusetts, Onapsis protects mission-critical applications from SAP, Oracle, and Salesforce, and serves more than 300 of the world’s leading brands including 20% of the Fortune 100. Onapsis’ flagship solution, The Onapsis Platform for Cybersecurity and Compliance, is an SAP Endorsed App and is one of the first cybersecurity and compliance platforms to become an SAP endorsed app. It is currently available in the SAP App Center.

view

Share on Social

Share on facebook
Share on twitter
Share on linkedin
https://www.facebook.com/OnapsisLife/

Articles / Case Studies / Videos

Recap of “Evolving Your SAP Security and Compliance Strategy in the Era of Cloud and SAP S/4HANA”

By Annie Kennedy, Associate Conference Producer Jason Fruge (JF)Vice President, Business Application Cybersecurity at ‎Onapsis, was the expert in the Q&A titled “Evolving Your SAP Security and Compliance Strategy in the era of Cloud & SAP S/4HANA,” which aired live on day 1 of SAPinsider's 2020 Virtual Conference ExperienceAlthough Jason is a more than 20-year security practitioner, he wasn’t familiar with SAP and what it does with organizations’ business functions for most of his career. A few years ago, he took advantage of a business risk illustration and was shocked that none of the security controls he’d invested in detected the threat. As he reflected on what a huge issue that was, how a company can’t have the resources to patch everything with rigor and must consider the most important applications and how those functions are protected, he was prompted to build a business case. He got funding to apply for the approved security process, and he was lucky to have a team that was interested in solving the security problem and understood the importance of finding new solutions.  The Q&A was moderated by SAPinsider's VP of Research and Publishing, Robert Holland (RH). Here are a few snippets from the conversation. Q: What sort of security challenges do you see customers facing as they begin to deploy the cloud? Is this a good time to evaluate their security? JF: People are beginning to host portions or all of SAP systems or data on someone else’s network. It’s a challenge in this shared model being responsible for securing your data, even on someone else’s network. What tools are you introducing will face that challenge. Organizations need to consider more than firewalls in an age of socially engineered hacks such as phishingYou have to actively educate people on what they can and can’t share. Another factor that weakens security is that SAP is more accessible than ever, put online so people can pull up data on their cell phones. Workplaces are remote during the pandemic, so there’s more cloud-based access of data, and organizations need to consider new modes to combat security threats or leaks.     Q: What is the biggest thing a security lead should know or do before starting a move to S/4HANA?   JF: Have a meaningful conversation with the team about how they plan to organize and access data in this new environment, what level of risk can be accepted, and what security strategy can be comprehensive enough to protect what’s most important to them.    Q: What steps should SAPinsiders take to ensure security?  JF: People-process or technology-process, but companies need a holistic strategy that accounts for both. Organizations should look beyond user authorizations; see if the configurations are secure, patches installed, programs updated, etc. Hackers have a lot of incentive to break into SAP systems. 77% of the world’s financial transactions and 78% of the world’s food distribution go through some form of SAP technology; it’s not an enterprise security problem but a national security problem that could have a devastating impact. It’s important to have a strong security system in place. RH: Warehouses and packing plants being shut down by the pandemic had an immediate impact on supermarket stock. Imagine the issue if someone deliberately attacked our global supply chain. Everyone needs to take notice and ensure the chain is resilient.  How would your company be affected if your supply chain was taken down? It’s a great conversation piece that everyone should discuss.    Q: Are there vulnerabilities people might not be considering, and how important is the security of the HANA database itself?   JF: SAP is installed on an operating system.  The fastest way to manipulate the SAP application is within the operating system; secure the OS first, then the application next.     Q: How can an internal audit function best partner with the IT organization during a move to SAP S/4HANA?   JF: Have a good relationship with the architects so they can identify any gaps during production rather than retroactively. Strong relationships are key! We can also automate a lot of the audit, so when they come in to do them, we can arm them with information without having to stop their work to support the audit.     Q: Is there an easy way to apply the SAP security patches that get sent out, and iSAP Solution Manager the best alternative?   JF: SAP Solution Manager is a fine way to get patches done but it has limitations; it’s an honor system where you check a box and say you applied a patch, but it may not have been applied appropriately. Onapsis’ solution actually tests the patches to be sure they were applied appropriately. Applying patches is a challenge; SAP will give priority scores to patches, and you have to translate the impact of that on your own organization, because what’s high priority for them might be low for you and vice-versa. There’s no quick solution, but the capabilities to put on patches from a technology perspective is the easy part; the business analysis that goes into that decision is the harder part.   

view

Case Study - Global Advertising Company Saves Time and Money by Migrating to SAP HANA with Onapsis

THE CHALLENGE: Migrate SAP ECC to SAP HANA while ensuring security and compliance. THE SOLUTION: The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance Many large companies rely on SAP as a key component of their business. Learn how a Global Advertising company saved time and money by migrating to SAP HANA one year ahead of schedule.

view

Threat Report: 10KBLAZE

In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE in the past, their public release significantly increases the risk of successful cyberattacks against SAP implementations globally. Given the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis has decided to open-source components of The Onapsis Platform and make intrusion detection signatures immediately and freely available to all SAP customers. Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring and remediation of affected organizations globally. Check out the full threat report with information about how to determine if you are at risk and steps to take for remediation.

view

Top challenges of a CIO

The Chief Information Officer (CIO) holds responsibility for all IT decisions affecting the company, a task that has increased in complexity in recent years. This e-book reviews five challenges CIOs face when dealing with SAP security, including recommendations for overcoming these challenges.

view

The Secure Transformation to SAP HANA

Is SAP HANA really the new big thing? Developed in 2008 by the Hasso Plattner Institute and Stanford University, SAP HANA was introduced in 2010—in the same year as the iPad. It's hard to imagine our lives without the latter, but the adoption of SAP HANA technology is advancing much more slowly. SAP has approximately 380,000 customers and as of the end of 2017, only 8,000 were using SAP S/4HANA1, the application that seamlessly builds on the platform and has existed since 2015. Looking ahead, however, exponential growth is inevitably just around the corner. SAP systems that are not based on SAP HANA technologies will most likely no longer be supported after 2025. With a quick glance at a calendar, it quickly becomes clear that now is time to initiate the complex and long transformation to SAP HANA. Although the deadline is a clear motivation for the transformation, the focus for organizations should be on the opportunities that SAP HANA offers. When properly planned and implemented, the switch to SAP S/4HANA can be an important milestone toward a digital enterprise.

view

High Profile Vulnerabilities in SAP Applications and How to Be Prepared

By Juan Perez-Etchegoyen, CTO, Onapsis Enterprise Software is complex due to its nature and interconnectivity to business processes. On top of that, software is made by humans, which means that regardless of how much we want to avoid it, bugs will be there and not uncommonly... critical ones. This holds true for many software vendors such as Microsoft, Apple, Oracle, Intel, Adobe, VMWare...and also SAP. What all of these vendors also have in common is how they deal with the patches that solve those vulnerabilities, through what is called the “Patch Tuesday.” Patch Tuesday happens to be the second Tuesday of every month and has now become a standard day where large software makers release the fixes for security vulnerabilities in their software. In this manner, patches are released in a coordinated way providing organizations’ IT departments the opportunity to be prepared. Even though it is impossible to know if the number of patches a vendor is releasing will be 0, 1 or 10, at least these IT teams can better expect the unexpected, knowing that the second Tuesday of every month, there's potentially going to be a bunch of things to fix across the board.

A Positive Trend

But what about the applications that support your most critical business processes and hold your crown jewels? IT Admins have been dealing with Patch Tuesday for the last few years and getting used to the overhead of patches being implemented. But the SAP BASIS teams, who manage your SAP applications and ensure availability and uptime of applications, have been slowly adopting this patching process, because the cadence of changes within SAP applications is completely different in organizations, as compared to, for example, the ability to react and apply a patch in a windows-based host. Requesting a change management window is not a simple thing for SAP applications that run and support the most critical business processes of your organization. But, that's been changing over the past few years, especially driven by a broader awareness of the need for cybersecurity controls around SAP applications. Additionally, even though the overall number of SAP Security Notes has been slowly decreasing over the years, due to SAP strategies to package and simplify customers' adoption of patches (for example multiple vulnerabilities fixed through the same patch), there's been an increasing number of patches addressing critical vulnerabilities (HotNews in the SAP world). As seen in Figure 1, the evolution of SAP Security Notes shows a decrease in the total number of patches as well as an increase on the HotNews over the past 5 years. This data does not consider the potential upcoming SAP Security Notes or HotNews in the remaining 4 months of 2020, which could change the trend too. Figure 1: Evolution of SAP Security Notes over the past 5 years Figure 1—Evolution of SAP Security Notes over the past 5 years   Besides the number of total and critical SAP Security Notes, over the last years, SAP increased the response time to deliver security patches, especially important for critical vulnerabilities, which shows an increasing focus on response time to critical issues.

Going Over Some Examples

In the next sections, we will go over some of the most recent and relevant examples of vulnerabilities, misconfigurations and exploits affecting SAP applications. The ones that are highlighted in this article are the ones that historically generated CERT alerts due to the criticality of the issues.

RECON Vulnerability

CVE-2020-6287 Type: Software Vulnerability CVSS: 10
Threat Report: SAP RECON Cybersecurity Vulnerability
  On July 14th, 2020, SAP released its regular set of security patches, including the patch for a critical Common Vulnerability Scoring System (CVSS) 10 vulnerability, which was identified and reported to SAP by the Onapsis Research Labs. This vulnerability allows any unauthenticated attacker to completely compromise the SAP application through the Web service, which could be internal or Internet facing. Passive scannings of the Internet provided indicators of over 2500 vulnerable and exposed SAP Applications before the patch was released. This proves the broad attack surface that the vulnerability opens by measuring the amount of Internet-facing applications. Besides that, there are potentially thousands of internal SAP applications also exposed as almost every SAP customer was affected by this vulnerability due to the mandatory nature of some specific JAVA-based products, such as the SAP Solution Manager. Figure 2—Distribution of Internet-facing systems Figure 2—Distribution of Internet-facing systems   This vulnerability got the attention of a number of International Computer Emergency Response Teams (CERT) who released alerts to their audiences in many different countries. Some examples of these are the US-CERT, through the alert AA20-195A and the BSI CERT-bund through the CERT Bund -Meldungen - CB-K20/0690. The reasons why alerts were issues are related to the following aspects of the RECON vulnerability:
  • A broad attack surface both internal as well as Internet-facing.
  • No prerequisites for exploitation, anyone with network access can exploit it.
  • Full compromise can be achieved by the attacker.
  • Due to the critical nature of SAP applications, business data could be exposed.
SAP Released several SAP Security Notes to address this issue and will continue to update them as more facts become known about the vulnerability and its impact. If you have not applied the SAP Security Note 2934135 or the mitigation through SAP Security Note 2939665, it is highly recommended to do so to reduce the risk of exploitation, as threat actors are already exploiting it through both manual as well as automated campaigns.

Invoker Servlet Vulnerability in SAP Applications

CVE-2010-5326 Type: Combination of Software Vulnerability and Configuration CVSS: 10
Threat Report: The Tip of the Iceberg: Wild Exploitation & Cyberattacks on SAP Business Applications
In 2016, the Onapsis Research Labs identified indicators of exploitation and compromise of dozens of organizations who were exposing SAP JAVA applications to the Internet, without properly taking care of vulnerabilities or misconfigurations. The Invoker Servlet vulnerability in SAP JAVA applications, which was patched by SAP in 2010, was still a prevalent issue amongst SAP installations in 2016 and it opened a significant attack surface that threat actors were using to compromise SAP applications. With several publicly available exploits to abuse this vulnerability as well as detailed information on how to exploit it, the Invoker Servlet became a very critical issue for SAP applications and because of the criticality as well as the fact that threat actors were actively exploiting it, the very first US-CERT alert around cybersecurity for SAP applications was issued in May of 2016: the Alert TA16-132A. Figure 3—US-CERT Alert highlighting an SAP security issue Figure 3—US-CERT Alert highlighting an SAP security issue   What made this issue hard to patch is the fact that it is not a pure “software vulnerability,” but is a combination of a software vulnerability and a configuration of the system. So even if organizations fix the issue, it can come back if proper controls are not in place. Even though the issue was fixed almost 10 years ago, and the US-CERT alerted organizations 4 years ago, Onapsis still sees the Invoker Servlet vulnerability in SAP applications between 10-20% of its assessment engagements. This provides another data point around how organizations struggle with applying patches, even the most critical ones. SAP Released SAP Security Notes to address the issue in 2010 and after the US-CERT alert was released:

10KBLAZE Vulnerability

CVE N/A Type: Security Configuration CVSS: 10
Threat Report: 10KBLAZE threat report
In 2019, another cybersecurity vulnerability got top level visibility across SAP customers: the 10KBLAZE vulnerability. This issue is not actually a software vulnerability as the ones seen in the previous examples but instead it is a security configuration of a key component of SAP ABAP-based systems: the SAP Gateway. This component is in charge of communicating SAP applications and if not properly secured, it could expose the entire SAP system and potentially its connected applications. The security settings of the SAP Gateway were known and documented for years, however SAP customers still struggle with securing that component. In May, 2019, public exploits were released at a security conference, making this issue more critical as it significantly increased the probability of exploitation, even for internal systems. US-CERT raised an alert in this case too: AA19-122A providing details about the vulnerability, the exploits and some potential mitigations. SAP released SAP Security Notes years before the release of the exploits, to address these configuration issues:

Becoming Proactive with Cybersecurity for SAP Applications

With a security-by-design program you have visibility into your business-critical application environment, the ability to assess for vulnerabilities, prioritize and fix them, prevent configuration drift and detect potential malicious attacks or internal misuse. This program starts by establishing security baselines when assessing and monitoring code, configurations, and aspects of your business processes throughout development and carried through to production. Figure 4: A programmatic approach to security and compliance for SAP Applications Figure 4—A programmatic approach to security and compliance for SAP Applications   In working with some of our largest customers, Onapsis has identified the following key value drivers in defining and implementing an effective security program for your business-critical applications:
  • Protect your SAP systems from external attacks and internal misuse by mitigating risk
  • Streamline and automate compliance and audit processes to reduce manual effort and minimize inconsistencies
  • Devise and implement a cross-functional program that meets the needs of your ERP, compliance and security teams so the impact is continuous and risk management is effective
  • Accelerate your key business initiatives such as cloud migration, S/4HANA implementation, digital transformation or technical upgrades with reduced risk

view

Simply Securing a System Is No Longer Sufficient

By Robert Holland, VP Research, SAPinsider Securing an SAP system used to involve checking access and process controls and ensuring that the most recent SAP Notes had been applied. Now it involves not only ensuring that the system itself is up to date but must address cybersecurity and compliance issues as well.

The Threat Landscape for SAP Systems

A few years ago, the most critical systems that SAP customers needed to secure were SAP ECC and SAP NetWeaver and the on-premise applications to which these connected. However, as organizations have started digital transformation projects, security and compliance have evolved as has the risk and threat landscape. Organizations may now be in the process of migrating to SAP S/4HANA either on SAP HEC or with a public cloud provider, as well as consuming SAP Cloud Platform using Cloud Connector and utilizing data from solutions running though SAP SuccessFactors, SAP Ariba, or SAP Concur. And as they grow through acquisitions, or simply because they are running both SAP and non-SAP solutions, they may find they need to integrate solutions from Oracle, Salesforce, and Workday into their SAP landscapes. This complexity of applications, and the complexity of integrating these systems, also complicates the security landscape. But even as organizations ensure that they are working to detect and control the risks in their landscapes, as well as defend them against potential intrusions, they also need to ensure that they are addressing increasing compliance requirements. To gain a better understanding of how this is impacting SAP customers,  SAPinsider recently spoke with Juan Pablo Perez-Etchegoyen, CTO of Onapsis, about security, compliance, and the trends he’s seeing from SAP customers around the world.

Making Your Systems Secure and Compliant

According to Onapsis’ Perez-Etchegoyen, the threat landscape for SAP systems is growing. For example, since the RECON vulnerability was addressed by SAP in July, there has been an uptick in sources exploiting that vulnerability across the internet. “Most of the time it’s not as simple as a patch, because the process of deploying the patch requires a downtime window which introduces a lot of friction with the business,” said Perez-Etchegoyen. This downtime window means that someone needs to decide when the system will be offline. And any mitigation can also have a different impact when they must be applied per node or per system, or when the weakness can still be exploited via user credentials. According to Perez-Etchegoyen, “because these are business applications the complexity levels require the right technology and focus to keep them secure.” A big trend that Onapsis is seeing is that of not only keeping systems secure but ensuring that they are also compliant. “Regulators realize more and more the need to include cybersecurity as part of system control because in large enterprises SOX compliance is critical,” said Perez-Etchegoyen. He sees both regulators, auditors, and the compliance ecosystem really starting to pay attention to cybersecurity specifically when it comes to SAP applications. This is especially true when it is covered by some sort of compliance regulation. “Somewhere, these organizations will be covered by a compliance regulation, and so they’ll need to make sure that they have tools in place to measure that and ensure that they are meeting those regulations,” added Perez-Etchegoyen. This is where having a security and compliance solution can make an impact in an organization. Onapsis’ offering in this space, The Onapsis Platform for Cybersecurity and Compliance, provides four main functionalities to assist organizations: Assessment, so that risks can be detected; Control, so that a risk can be prevented from being introduced; Defend, so that a user has the right visibility when risks are identified; and Compliance, which automates the compliance posture to address compliance needs. Any risks found can then be completely transparent to the end-user who can readily address the issue. This also extends to the cloud, where the data consumed in a cloud instance is still the responsibility of the customer. Even with SaaS applications like SAP SuccessFactors where patching isn’t an issue for the end user, there may still be data issues because of the complexity of services, modules, components, and customizations that organizations don’t have visibility into. And the more that any functionality is customized, the more difficult the application is to secure and ensure compliance.

What Does This Mean for SAPinsiders?

As organizations accelerate deployment of cloud-based technologies, something which 99% of the SAPinsider Community say they are already running, the security and threat landscape within an organization must be extended to include these new systems. At the same time, these systems must also follow compliance regulations like GDPR, SOX, and CCPA. What steps should you be taking to make sure that your systems and data are secure?
  • Determine your security and compliance plans before deploying applications in the cloud. “Adopting security and compliance policies when migrating to the cloud provides an acceleration of timelines,” says Perez-Etchegoyen. If these policies aren’t in place in the beginning, organizations will need to come back and implement them which causes delays. Having policies in place early helps ensure a faster and more secure adoption.
  • Investigate which regulations impact your organization and implement plans for ensuring compliance. With the growing prevalence of regulations for data and financial governance, organizations need to know exactly which ones impact them, and how they will ensure that they meet those standards. Given that these standards may come into play even if they only work with a vendor or have a customer in a region impacted by these regulations, knowing the extent of regulations and having plans in place to comply to those is very important.
  • Carefully examine your existing security tools to determine whether they will meet future needs. While most SAPinsiders ensure that their systems apply critical SAP Notes and patches, SAPinsider research showed that the top driver around enterprise security was a demand for a more holistic security strategy. In addition, a key action they were taking was that of building an integrated security strategy. Both these steps suggest that most organizations current security strategy does not fully meet their needs, so examining what they are doing from a security standpoint and what they will need for the future, particularly when moving to the cloud, is critical.
  • Implement training plans for internal security and compliance teams. Although solutions like The Onapsis Platform do not require every user to be a cybersecurity expert in order for the organization to gain significant benefit, ensuring that compliance teams and SAP security officers have the appropriate training can help provide a greater benefit for the organization. And while benefits will be gained in the security tools being used, they will also extend to the whole organization as they help SAPinsiders prepare for future regulation changes and compliance and security challenges.
About Onapsis

Based in Boston, Massachusetts, Onapsis protects mission-critical applications from SAP, Oracle, and Salesforce, and serves more than 300 of the world’s leading brands including 20% of the Fortune 100. Onapsis’ flagship solution, The Onapsis Platform for Cybersecurity and Compliance, is an SAP Endorsed App and is one of the first cybersecurity and compliance platforms to become an SAP endorsed app. It is currently available in the SAP App Center.

view

Share on Social

https://www.facebook.com/OnapsisLife/

Articles / Case Studies / Videos

Recap of “Evolving Your SAP Security and Compliance Strategy in the Era of Cloud and SAP S/4HANA”

By Annie Kennedy, Associate Conference Producer Jason Fruge (JF)Vice President, Business Application Cybersecurity at ‎Onapsis, was the expert in the Q&A titled “Evolving Your SAP Security and Compliance Strategy in the era of Cloud & SAP S/4HANA,” which aired live on day 1 of SAPinsider's 2020 Virtual Conference ExperienceAlthough Jason is a more than 20-year security practitioner, he wasn’t familiar with SAP and what it does with organizations’ business functions for most of his career. A few years ago, he took advantage of a business risk illustration and was shocked that none of the security controls he’d invested in detected the threat. As he reflected on what a huge issue that was, how a company can’t have the resources to patch everything with rigor and must consider the most important applications and how those functions are protected, he was prompted to build a business case. He got funding to apply for the approved security process, and he was lucky to have a team that was interested in solving the security problem and understood the importance of finding new solutions.  The Q&A was moderated by SAPinsider's VP of Research and Publishing, Robert Holland (RH). Here are a few snippets from the conversation. Q: What sort of security challenges do you see customers facing as they begin to deploy the cloud? Is this a good time to evaluate their security? JF: People are beginning to host portions or all of SAP systems or data on someone else’s network. It’s a challenge in this shared model being responsible for securing your data, even on someone else’s network. What tools are you introducing will face that challenge. Organizations need to consider more than firewalls in an age of socially engineered hacks such as phishingYou have to actively educate people on what they can and can’t share. Another factor that weakens security is that SAP is more accessible than ever, put online so people can pull up data on their cell phones. Workplaces are remote during the pandemic, so there’s more cloud-based access of data, and organizations need to consider new modes to combat security threats or leaks.     Q: What is the biggest thing a security lead should know or do before starting a move to S/4HANA?   JF: Have a meaningful conversation with the team about how they plan to organize and access data in this new environment, what level of risk can be accepted, and what security strategy can be comprehensive enough to protect what’s most important to them.    Q: What steps should SAPinsiders take to ensure security?  JF: People-process or technology-process, but companies need a holistic strategy that accounts for both. Organizations should look beyond user authorizations; see if the configurations are secure, patches installed, programs updated, etc. Hackers have a lot of incentive to break into SAP systems. 77% of the world’s financial transactions and 78% of the world’s food distribution go through some form of SAP technology; it’s not an enterprise security problem but a national security problem that could have a devastating impact. It’s important to have a strong security system in place. RH: Warehouses and packing plants being shut down by the pandemic had an immediate impact on supermarket stock. Imagine the issue if someone deliberately attacked our global supply chain. Everyone needs to take notice and ensure the chain is resilient.  How would your company be affected if your supply chain was taken down? It’s a great conversation piece that everyone should discuss.    Q: Are there vulnerabilities people might not be considering, and how important is the security of the HANA database itself?   JF: SAP is installed on an operating system.  The fastest way to manipulate the SAP application is within the operating system; secure the OS first, then the application next.     Q: How can an internal audit function best partner with the IT organization during a move to SAP S/4HANA?   JF: Have a good relationship with the architects so they can identify any gaps during production rather than retroactively. Strong relationships are key! We can also automate a lot of the audit, so when they come in to do them, we can arm them with information without having to stop their work to support the audit.     Q: Is there an easy way to apply the SAP security patches that get sent out, and iSAP Solution Manager the best alternative?   JF: SAP Solution Manager is a fine way to get patches done but it has limitations; it’s an honor system where you check a box and say you applied a patch, but it may not have been applied appropriately. Onapsis’ solution actually tests the patches to be sure they were applied appropriately. Applying patches is a challenge; SAP will give priority scores to patches, and you have to translate the impact of that on your own organization, because what’s high priority for them might be low for you and vice-versa. There’s no quick solution, but the capabilities to put on patches from a technology perspective is the easy part; the business analysis that goes into that decision is the harder part.   

view

Case Study - Global Advertising Company Saves Time and Money by Migrating to SAP HANA with Onapsis

THE CHALLENGE: Migrate SAP ECC to SAP HANA while ensuring security and compliance. THE SOLUTION: The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance Many large companies rely on SAP as a key component of their business. Learn how a Global Advertising company saved time and money by migrating to SAP HANA one year ahead of schedule.

view

Threat Report: 10KBLAZE

In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE in the past, their public release significantly increases the risk of successful cyberattacks against SAP implementations globally. Given the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis has decided to open-source components of The Onapsis Platform and make intrusion detection signatures immediately and freely available to all SAP customers. Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring and remediation of affected organizations globally. Check out the full threat report with information about how to determine if you are at risk and steps to take for remediation.

view

Top challenges of a CIO

The Chief Information Officer (CIO) holds responsibility for all IT decisions affecting the company, a task that has increased in complexity in recent years. This e-book reviews five challenges CIOs face when dealing with SAP security, including recommendations for overcoming these challenges.

view

The Secure Transformation to SAP HANA

Is SAP HANA really the new big thing? Developed in 2008 by the Hasso Plattner Institute and Stanford University, SAP HANA was introduced in 2010—in the same year as the iPad. It's hard to imagine our lives without the latter, but the adoption of SAP HANA technology is advancing much more slowly. SAP has approximately 380,000 customers and as of the end of 2017, only 8,000 were using SAP S/4HANA1, the application that seamlessly builds on the platform and has existed since 2015. Looking ahead, however, exponential growth is inevitably just around the corner. SAP systems that are not based on SAP HANA technologies will most likely no longer be supported after 2025. With a quick glance at a calendar, it quickly becomes clear that now is time to initiate the complex and long transformation to SAP HANA. Although the deadline is a clear motivation for the transformation, the focus for organizations should be on the opportunities that SAP HANA offers. When properly planned and implemented, the switch to SAP S/4HANA can be an important milestone toward a digital enterprise.

view

High Profile Vulnerabilities in SAP Applications and How to Be Prepared

By Juan Perez-Etchegoyen, CTO, Onapsis Enterprise Software is complex due to its nature and interconnectivity to business processes. On top of that, software is made by humans, which means that regardless of how much we want to avoid it, bugs will be there and not uncommonly... critical ones. This holds true for many software vendors such as Microsoft, Apple, Oracle, Intel, Adobe, VMWare...and also SAP. What all of these vendors also have in common is how they deal with the patches that solve those vulnerabilities, through what is called the “Patch Tuesday.” Patch Tuesday happens to be the second Tuesday of every month and has now become a standard day where large software makers release the fixes for security vulnerabilities in their software. In this manner, patches are released in a coordinated way providing organizations’ IT departments the opportunity to be prepared. Even though it is impossible to know if the number of patches a vendor is releasing will be 0, 1 or 10, at least these IT teams can better expect the unexpected, knowing that the second Tuesday of every month, there's potentially going to be a bunch of things to fix across the board.

A Positive Trend

But what about the applications that support your most critical business processes and hold your crown jewels? IT Admins have been dealing with Patch Tuesday for the last few years and getting used to the overhead of patches being implemented. But the SAP BASIS teams, who manage your SAP applications and ensure availability and uptime of applications, have been slowly adopting this patching process, because the cadence of changes within SAP applications is completely different in organizations, as compared to, for example, the ability to react and apply a patch in a windows-based host. Requesting a change management window is not a simple thing for SAP applications that run and support the most critical business processes of your organization. But, that's been changing over the past few years, especially driven by a broader awareness of the need for cybersecurity controls around SAP applications. Additionally, even though the overall number of SAP Security Notes has been slowly decreasing over the years, due to SAP strategies to package and simplify customers' adoption of patches (for example multiple vulnerabilities fixed through the same patch), there's been an increasing number of patches addressing critical vulnerabilities (HotNews in the SAP world). As seen in Figure 1, the evolution of SAP Security Notes shows a decrease in the total number of patches as well as an increase on the HotNews over the past 5 years. This data does not consider the potential upcoming SAP Security Notes or HotNews in the remaining 4 months of 2020, which could change the trend too. Figure 1: Evolution of SAP Security Notes over the past 5 years Figure 1—Evolution of SAP Security Notes over the past 5 years   Besides the number of total and critical SAP Security Notes, over the last years, SAP increased the response time to deliver security patches, especially important for critical vulnerabilities, which shows an increasing focus on response time to critical issues.

Going Over Some Examples

In the next sections, we will go over some of the most recent and relevant examples of vulnerabilities, misconfigurations and exploits affecting SAP applications. The ones that are highlighted in this article are the ones that historically generated CERT alerts due to the criticality of the issues.

RECON Vulnerability

CVE-2020-6287 Type: Software Vulnerability CVSS: 10
Threat Report: SAP RECON Cybersecurity Vulnerability
  On July 14th, 2020, SAP released its regular set of security patches, including the patch for a critical Common Vulnerability Scoring System (CVSS) 10 vulnerability, which was identified and reported to SAP by the Onapsis Research Labs. This vulnerability allows any unauthenticated attacker to completely compromise the SAP application through the Web service, which could be internal or Internet facing. Passive scannings of the Internet provided indicators of over 2500 vulnerable and exposed SAP Applications before the patch was released. This proves the broad attack surface that the vulnerability opens by measuring the amount of Internet-facing applications. Besides that, there are potentially thousands of internal SAP applications also exposed as almost every SAP customer was affected by this vulnerability due to the mandatory nature of some specific JAVA-based products, such as the SAP Solution Manager. Figure 2—Distribution of Internet-facing systems Figure 2—Distribution of Internet-facing systems   This vulnerability got the attention of a number of International Computer Emergency Response Teams (CERT) who released alerts to their audiences in many different countries. Some examples of these are the US-CERT, through the alert AA20-195A and the BSI CERT-bund through the CERT Bund -Meldungen - CB-K20/0690. The reasons why alerts were issues are related to the following aspects of the RECON vulnerability:
  • A broad attack surface both internal as well as Internet-facing.
  • No prerequisites for exploitation, anyone with network access can exploit it.
  • Full compromise can be achieved by the attacker.
  • Due to the critical nature of SAP applications, business data could be exposed.
SAP Released several SAP Security Notes to address this issue and will continue to update them as more facts become known about the vulnerability and its impact. If you have not applied the SAP Security Note 2934135 or the mitigation through SAP Security Note 2939665, it is highly recommended to do so to reduce the risk of exploitation, as threat actors are already exploiting it through both manual as well as automated campaigns.

Invoker Servlet Vulnerability in SAP Applications

CVE-2010-5326 Type: Combination of Software Vulnerability and Configuration CVSS: 10
Threat Report: The Tip of the Iceberg: Wild Exploitation & Cyberattacks on SAP Business Applications
In 2016, the Onapsis Research Labs identified indicators of exploitation and compromise of dozens of organizations who were exposing SAP JAVA applications to the Internet, without properly taking care of vulnerabilities or misconfigurations. The Invoker Servlet vulnerability in SAP JAVA applications, which was patched by SAP in 2010, was still a prevalent issue amongst SAP installations in 2016 and it opened a significant attack surface that threat actors were using to compromise SAP applications. With several publicly available exploits to abuse this vulnerability as well as detailed information on how to exploit it, the Invoker Servlet became a very critical issue for SAP applications and because of the criticality as well as the fact that threat actors were actively exploiting it, the very first US-CERT alert around cybersecurity for SAP applications was issued in May of 2016: the Alert TA16-132A. Figure 3—US-CERT Alert highlighting an SAP security issue Figure 3—US-CERT Alert highlighting an SAP security issue   What made this issue hard to patch is the fact that it is not a pure “software vulnerability,” but is a combination of a software vulnerability and a configuration of the system. So even if organizations fix the issue, it can come back if proper controls are not in place. Even though the issue was fixed almost 10 years ago, and the US-CERT alerted organizations 4 years ago, Onapsis still sees the Invoker Servlet vulnerability in SAP applications between 10-20% of its assessment engagements. This provides another data point around how organizations struggle with applying patches, even the most critical ones. SAP Released SAP Security Notes to address the issue in 2010 and after the US-CERT alert was released:

10KBLAZE Vulnerability

CVE N/A Type: Security Configuration CVSS: 10
Threat Report: 10KBLAZE threat report
In 2019, another cybersecurity vulnerability got top level visibility across SAP customers: the 10KBLAZE vulnerability. This issue is not actually a software vulnerability as the ones seen in the previous examples but instead it is a security configuration of a key component of SAP ABAP-based systems: the SAP Gateway. This component is in charge of communicating SAP applications and if not properly secured, it could expose the entire SAP system and potentially its connected applications. The security settings of the SAP Gateway were known and documented for years, however SAP customers still struggle with securing that component. In May, 2019, public exploits were released at a security conference, making this issue more critical as it significantly increased the probability of exploitation, even for internal systems. US-CERT raised an alert in this case too: AA19-122A providing details about the vulnerability, the exploits and some potential mitigations. SAP released SAP Security Notes years before the release of the exploits, to address these configuration issues:

Becoming Proactive with Cybersecurity for SAP Applications

With a security-by-design program you have visibility into your business-critical application environment, the ability to assess for vulnerabilities, prioritize and fix them, prevent configuration drift and detect potential malicious attacks or internal misuse. This program starts by establishing security baselines when assessing and monitoring code, configurations, and aspects of your business processes throughout development and carried through to production. Figure 4: A programmatic approach to security and compliance for SAP Applications Figure 4—A programmatic approach to security and compliance for SAP Applications   In working with some of our largest customers, Onapsis has identified the following key value drivers in defining and implementing an effective security program for your business-critical applications:
  • Protect your SAP systems from external attacks and internal misuse by mitigating risk
  • Streamline and automate compliance and audit processes to reduce manual effort and minimize inconsistencies
  • Devise and implement a cross-functional program that meets the needs of your ERP, compliance and security teams so the impact is continuous and risk management is effective
  • Accelerate your key business initiatives such as cloud migration, S/4HANA implementation, digital transformation or technical upgrades with reduced risk

view

Simply Securing a System Is No Longer Sufficient

By Robert Holland, VP Research, SAPinsider Securing an SAP system used to involve checking access and process controls and ensuring that the most recent SAP Notes had been applied. Now it involves not only ensuring that the system itself is up to date but must address cybersecurity and compliance issues as well.

The Threat Landscape for SAP Systems

A few years ago, the most critical systems that SAP customers needed to secure were SAP ECC and SAP NetWeaver and the on-premise applications to which these connected. However, as organizations have started digital transformation projects, security and compliance have evolved as has the risk and threat landscape. Organizations may now be in the process of migrating to SAP S/4HANA either on SAP HEC or with a public cloud provider, as well as consuming SAP Cloud Platform using Cloud Connector and utilizing data from solutions running though SAP SuccessFactors, SAP Ariba, or SAP Concur. And as they grow through acquisitions, or simply because they are running both SAP and non-SAP solutions, they may find they need to integrate solutions from Oracle, Salesforce, and Workday into their SAP landscapes. This complexity of applications, and the complexity of integrating these systems, also complicates the security landscape. But even as organizations ensure that they are working to detect and control the risks in their landscapes, as well as defend them against potential intrusions, they also need to ensure that they are addressing increasing compliance requirements. To gain a better understanding of how this is impacting SAP customers,  SAPinsider recently spoke with Juan Pablo Perez-Etchegoyen, CTO of Onapsis, about security, compliance, and the trends he’s seeing from SAP customers around the world.

Making Your Systems Secure and Compliant

According to Onapsis’ Perez-Etchegoyen, the threat landscape for SAP systems is growing. For example, since the RECON vulnerability was addressed by SAP in July, there has been an uptick in sources exploiting that vulnerability across the internet. “Most of the time it’s not as simple as a patch, because the process of deploying the patch requires a downtime window which introduces a lot of friction with the business,” said Perez-Etchegoyen. This downtime window means that someone needs to decide when the system will be offline. And any mitigation can also have a different impact when they must be applied per node or per system, or when the weakness can still be exploited via user credentials. According to Perez-Etchegoyen, “because these are business applications the complexity levels require the right technology and focus to keep them secure.” A big trend that Onapsis is seeing is that of not only keeping systems secure but ensuring that they are also compliant. “Regulators realize more and more the need to include cybersecurity as part of system control because in large enterprises SOX compliance is critical,” said Perez-Etchegoyen. He sees both regulators, auditors, and the compliance ecosystem really starting to pay attention to cybersecurity specifically when it comes to SAP applications. This is especially true when it is covered by some sort of compliance regulation. “Somewhere, these organizations will be covered by a compliance regulation, and so they’ll need to make sure that they have tools in place to measure that and ensure that they are meeting those regulations,” added Perez-Etchegoyen. This is where having a security and compliance solution can make an impact in an organization. Onapsis’ offering in this space, The Onapsis Platform for Cybersecurity and Compliance, provides four main functionalities to assist organizations: Assessment, so that risks can be detected; Control, so that a risk can be prevented from being introduced; Defend, so that a user has the right visibility when risks are identified; and Compliance, which automates the compliance posture to address compliance needs. Any risks found can then be completely transparent to the end-user who can readily address the issue. This also extends to the cloud, where the data consumed in a cloud instance is still the responsibility of the customer. Even with SaaS applications like SAP SuccessFactors where patching isn’t an issue for the end user, there may still be data issues because of the complexity of services, modules, components, and customizations that organizations don’t have visibility into. And the more that any functionality is customized, the more difficult the application is to secure and ensure compliance.

What Does This Mean for SAPinsiders?

As organizations accelerate deployment of cloud-based technologies, something which 99% of the SAPinsider Community say they are already running, the security and threat landscape within an organization must be extended to include these new systems. At the same time, these systems must also follow compliance regulations like GDPR, SOX, and CCPA. What steps should you be taking to make sure that your systems and data are secure?
  • Determine your security and compliance plans before deploying applications in the cloud. “Adopting security and compliance policies when migrating to the cloud provides an acceleration of timelines,” says Perez-Etchegoyen. If these policies aren’t in place in the beginning, organizations will need to come back and implement them which causes delays. Having policies in place early helps ensure a faster and more secure adoption.
  • Investigate which regulations impact your organization and implement plans for ensuring compliance. With the growing prevalence of regulations for data and financial governance, organizations need to know exactly which ones impact them, and how they will ensure that they meet those standards. Given that these standards may come into play even if they only work with a vendor or have a customer in a region impacted by these regulations, knowing the extent of regulations and having plans in place to comply to those is very important.
  • Carefully examine your existing security tools to determine whether they will meet future needs. While most SAPinsiders ensure that their systems apply critical SAP Notes and patches, SAPinsider research showed that the top driver around enterprise security was a demand for a more holistic security strategy. In addition, a key action they were taking was that of building an integrated security strategy. Both these steps suggest that most organizations current security strategy does not fully meet their needs, so examining what they are doing from a security standpoint and what they will need for the future, particularly when moving to the cloud, is critical.
  • Implement training plans for internal security and compliance teams. Although solutions like The Onapsis Platform do not require every user to be a cybersecurity expert in order for the organization to gain significant benefit, ensuring that compliance teams and SAP security officers have the appropriate training can help provide a greater benefit for the organization. And while benefits will be gained in the security tools being used, they will also extend to the whole organization as they help SAPinsiders prepare for future regulation changes and compliance and security challenges.
About Onapsis

Based in Boston, Massachusetts, Onapsis protects mission-critical applications from SAP, Oracle, and Salesforce, and serves more than 300 of the world’s leading brands including 20% of the Fortune 100. Onapsis’ flagship solution, The Onapsis Platform for Cybersecurity and Compliance, is an SAP Endorsed App and is one of the first cybersecurity and compliance platforms to become an SAP endorsed app. It is currently available in the SAP App Center.

view

Share on Social

Share on facebook
Share on twitter
Share on linkedin
https://www.facebook.com/OnapsisLife/