SAP systems require special attention when it comes to their security and this is no longer news to anyone. More often than not, the ERP systems supplied from Walldorf in Baden-Württemberg store some of the most crucial and sensitive company data. That said, what is the best approach to achieving the optimum level of security? A security audit would fit the bill!
Many companies rely on a targeted attempt to breach the system security and identify possible security loopholes at project begin. This approach is also referred to as a penetration test or a pentest. And pentests do have a leading role to play in every security concept. However, the very first step should be in a different direction.
SAP Security Audit: Assessing Risk Potential and Preventing Attacks
A penetration test – a targeted attempt to hack an SAP system – is by definition never complete: Often, one of two things happens: The task of the pentester is complete when an exploitable vulnerability is found, or the attempt targets a specific application from the start, the web shop for example, and therefore does not cover all the potential points of entry.
For this reason, an audit should be the first step when assessing SAP system security. A security audit checks one or more SAP systems for known vulnerabilities and incorrect settings. An audit like this can be handled manually. However, because of the many possibly incorrect SAP system parameters and settings – a four-digit number of these could relate to security – a security audit is generally largely automated. The result is presented in a report that lists all vulnerabilities identified and provides explanations and recommended measures for remediation.
But Don’t Forget to Check Your RFC Interfaces!
One thing to remember is that a security audit validates the settings only within a given system. Additionally checking interfaces to other systems for vulnerabilities can significantly increase the meaningfulness of such an audit. This is why the RFC interfaces, particularly in the case of SAP production systems, should be part of a security audit. It is important to check for potential pitfalls, for example RFC users who have been allowed authorizations that are too generous, or who have not changed their password in years, and thus are easier to crack. For attackers, these vulnerabilities mean that these points of attack are typically valid across all of a company’s systems, giving easy access once one loophole is found.
Stay Safe: Eliminate Vulnerabilities in SAP Systems
The first step after performing this kind of security audit, including the validation of RFC interfaces, is to fix any vulnerabilities found. Not until all of this is done does it make sense to seek and remedy additional loopholes with penetration testing. A pentest in this situation has special meaning: In contrast to a security audit, the focus of a pentest is not only to identify vulnerabilities. A pentest also aims to demonstrate how the given vulnerability can be exploited. This is the only way to permit early identification of attack vectors, allowing them to be thwarted. The aim of a security audit is to support the basic security of each and every system.
The SAST SUITE modules System Security Validation and Interface Management offer an automated solution for implementing security audits. The special advantage here is that the modules can be installed permanently, allowing the security status of an SAP system to be checked cyclically. For example, you can prevent the deterioration of your security level by smaller changes which will happen inevitably – across all your systems. And, of course, security audits can also be configured as recurring services. In particular, if your company’s migration to SAP HANA or S/4HANA is right around the corner, such an audit offers an ideal solution for safeguarding your SAP systems and taking all the necessary security measures before you start your transition.
Would you like more information on our SAST SUITE or would you like to find out more about ALL ROUND protection of your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail us at sast@akquinet.de.
Patrick Boch, Product Manager SAST SOLUTIONS