They say that major events cast a shadow that portends their arrival. In SAP environments, this applies in particular to the transition to S/4HANA, which companies will need to make before maintenance for SAP ERP expires in 2025.
As we covered this pending migration from various perspectives at our SAST DAYS 2019 event, interest in the topics of authorizations and code security was especially high. Let’s take a look back at those exciting days, which presented a balanced mix of current challenges and assorted solutions.
According to recent investment reports from the German SAP User Group (DSAG), up to 80 percent of the companies it surveyed intend to migrate their SAP systems to S/4HANA in the next several years. Certainly a bold endeavor. To minimize internal effort, the recommendation is to eliminate legacy issues – for example ABAP custom code – before the migration takes place.
The Gateway is a central communication component of an SAP system. As such, it is an attractive target for hacker attacks – and should receive corresponding protections. If the Gateway protections fall short, hacking it becomes child’s play. Despite this, system interfaces are often left out when securing IT systems. Should a cyberattack occur, this will give the perpetrators direct access to your sensitive SAP systems.
C/4HANA is the name of the newest product in the SAP portfolio. The company based in Walldorf, Germany, promises nothing less than a revolution of customer experience. But is C/4HANA secure? And what does “C/4HANA” mean, anyway?
It’s probably too early to sum up the state of SAP security in 2018. Then again, fall is the season for events such as the DSAG Annual Congress (German SAP User Group), which just ended in Leipzig. It is at conferences and trade fairs like this that you get a chance to find out exactly what is on the minds of SAP customers. As a result, it isn’t too soon to get a reading of the security issues that are considered important in the SAP environment.
Almost all companies fine-tune their SAP systems with custom developments, but in doing so, they often expose themselves to severe security flaws. In particular, forgotten code that was only needed for a short time or has since been rendered obsolete by SAP’s own enhancements presents a further avenue for attacks.
Many companies work with internal solutions to safeguard their SAP landscapes. However, operating systems, databases and SAP systems, especially those at large companies or even international groups, can have very complex IT landscapes – and are often insufficiently protected against unauthorized attempts to access these landscapes. This used to be the situation at a leading global automotive supplier. Now, the company relies on SAST SUITE from AKQUINET to safeguard its SAP landscapes.
Time and again, we’ve seen subpar handling of risk resolution in practice for RFC interfaces, with no guarantee for maintaining proper and secure operating conditions.
The addition “WITH HEADER LINE” has technically been unnecessary going back several SAP versions now. This is because the statement declares both internal tables and an additional data object – the header line.
In many SAP systems, there are RFC connections which address strange hostnames or even point to Amazon servers. This is due to the fact that SAP transports “RFC data garbage” from its own development computers to the customer during new installations.