The purpose of this annual report made by ERPScan researchers is to show a high level overview of SAP security in figures so that the problem area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan.
Old issues are being patched, but a lot of new systems have vulnerabilities. Number of vulnerabilities per year is going down compared to 2010, but they are more critical. Number of companies who search for issues in SAP is growing, so we can conclude that interest to SAP platform security has been growing exponentially. And there are positive sides to that – for example, the latest SAP products are more secure by default.
Taking into account the growing number of vulnerabilities and vast availability of SAP systems on the Internet, we predict that SAP systems can become a target not only for direct attacks (for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities. And while so many issues have already been closed, there are much more areas still not covered by researchers, where lots of vulnerabilities can be discovered. We are working closely with SAP Security Response Team on discovering and patching security issues, and SAP AG publishes secure recommendations and guidelines showing administrators how to protect their systems from most popular threats. This area has changed a lot during the last year, and SAP now invests much more resources in internal SDLC processes and internal security conferences.
Unfortunately, like a year ago, the best part of the mission still lies on administrators who should enforce the security of their SAP systems by using guidelines, secure configuration, patch management, code review, and continuous monitoring. Furthermore, we think that SAP forensics can be a new research area, because it is not easy to find evidence with as complex a log system as SAP has now, even if it exists. The more attacks will be conducted in SAP systems, the higher the need will be for forensic investigation and continuous monitoring of SAP security.