Thursday, 07 May 2015 10:13

Over 95% of SAP systems insecure, expected to increase with HANA


Onapsis Research has released study findings showing over 95% of systems assessed had vulnerabilities that could lead to compromised data and disruption of critical business processes.

Onapsis also determined the three most common attack vectors used for compromising SAP business systems at the application layer. These mechanisms place intellectual property, financial, credti card, customer, supplier, and database warehouse information all at risk for the world's largest companies.

Onapsis states its research is based on assessments of hundreds of SAP implementations, showing over 95% of installations were exposed to vulnerabilities. These vulnerabilities have potential for full compromise of the company's business data and process.

Onapsis also states its research finds most companies are exposed to protracted patching windows, averaging 18 months or more.

In 2014 SAP issued 391 security patches, averaging more than 30 per month. Almost 50% were ranked as high priority, yet according to Onapsis these are not being applied in a timely fashion by the vast majority of SAP sites.

SAP's reach cannot be underestimated. It is run by over 250,000 customers across the world, including 87% of Global 2000 companies and 98 of the 100 most-valued brands.

The research findings present the sobering realisation that vast volumes of global data are not protected from cyber threats.

Mariano Nunez, CEO and co-founder of Onapsis, states "The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a 'responsibility' gap between the SAP Operations team and the IT security team."

"The truth is," he stated, "most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day and most [Chief Information Security Officers] don't know because they don't have visibility into their SAP applications."

"Companies today are looking ahead at the opportunities presented by moving systems to the cloud, enabling user adoption through mobile devices and big data. The challenge is that most of these new possibilities rely on legacy systems such as SAP. In a connected world, it is essential that critical business applications be protected. Securing a company’s crown jewels is a board-level discussion. Information security professionals need to re-evaluate how SAP is protected from cybersecurity threats," said Renee Guttmann, Vice President, Office of the CISO, Accuvant.

The top three common cyber attack vectors revealed by Onapsis Research are:
1. customer and supplier portal attacks, where backdoor users are created in the SAP J2EE user management engine.

2. direct attacks through SAP proprietary protocols, exploiting vulnerabilities in the SAP RFC gateway

3. customer information and credit card breaches using pivoting between SAP systems, moving from a system with lower security to a critical system

Nunez states, "This trend is not only continuing, but exacerbating with SAP HANA, which has brought a 450% increase in new security patches specifically affecting this platform."

This news follows earlier research this week indicating 85% of SAP customers were not interested in moving to S/4HANA citing a large amount of work and expense to migrate for no clear return on investment.

Onapsis' findings now show that SAP HANA users who are not proactive with patching face risks both in the cloud and on-premises.

It should go without saying, but Global 2000 organisations running critical business processes in the SAP Business Suite solutions are urged to stay up to date with the latest SAP security notes, and to ensure systems are configured properly to meet compliance requirements and strengthened security. Companies need an action plan to add SAP security to the organisation's strategy and roadmap.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News