Is SuccessFactors secure enough?
Security is one of major concern of any cloud based solution and for customer it is essentials to know how secure is SuccessFactors as a cloud solution. Well in terms of data security and authorization there is no question at all as at this point of time, we are more or less all familiar. If not please visitSuccessFactors: all you need to know about Authorizations and Security. Customers would also like to know about other security aspects, recent security breaches and flaws and want to know how serious they are?
SuccessFactors does not only provide physical and application security but also provide data encryption and network protection in general. Actually they provide security in all the layers including physical, database, middleware, application, and network & communication.
When it’s about physical layers, SAP data centres come into the picture and they are no doubts world class in terms of security practices and standards. SAP has also won Datacentre Sustainability Award 2015 this year and have a presence in the whole world Location of Data Centers | SAP. If you want to know more you can check SAP Datacenter for a detail look.
Database layer security is not at all new, even on ERP side SAP has one of the strongest security. In terms of access control, audits, authentication, encryption, load balancing, backups and attack prevention. While all the aspects are equally important but when it comes to security breaches by the attackers it is very important to have a strong prevention mechanism to handles the attacks and the vulnerabilities. Below are top vulnerabilities from White-hat Security report. And one of popular and dangerous is the SQL Injections where attackers can steal, tamper and destroy the data from the databases. SAP’s attack prevention measure has proved quite strong so far in preventing this.
Middleware and Network layers has also very strong security whether it is secure single sign-on, SAML 2.0 assertion, communication with APIs, integration with on-premises identity management systems or restricting network traffics. One of the most important measures is on application layer as most of the vulnerabilities and attacks happen in this layer only. We would like to know more about this.
A recent flaw found in SuccessFactors XSS filter by a security researcher mention in Flaw in SAP Firm’s XSS Filter Exposed Many Sites to Attacks exposed the XSS (Cross-Site Scripting) vulnerability which is in fact most common and happening attack as per White-hat Security report and the most challenging one as there are no permanent solution yet.
How does it happen? How serious it is? Is our system secure? There are many questions come instantly to our mind whenever we heard about these news.
But it is equally important for us as customers, consultants, developers, managers, leaders to understand it briefly. The story of the Breaking of SuccessFactors’s XSS Filter is already published by the researcher and explained nicely how he had breached the filter.
And to handle and prevent these, there should be proper validations, filters and sanitizers in the application side (both client and server side) and in the above case the the XSS filter is not strong enough to handle the attacks. And all these happens in the talent page of recruiting site (the only possible frame of little exposer to the attacker) from a company who use this XSS filter from SuccessFactors came from the recruiting solution.Through XSS attacks the attackers can steal private data, steal the session cookie of the Admin, execute commands/malicious scripts, redirect to other malicious site, perform actions on behalf of the users, do port scanning, phishing, keylogging etc.
Though not serious but these can’t be ignore. After this exposer of this flaw SuccessFactors came with really strong filter. Not only this SAP Cloud has it’s own protection mechanism against phishing (obtaining access credentials) and pharming (redirect to malicious site) as each customer may not have their own protection aspects for these.
So there was a flaw but actually it couldn’t be such harmful because of SuccessFactors own vulnerability management mechanism which also give provision to conduct daily and monthly penetration tests on the production environment, and customers also can perform their own application vulnerability testing.
If you want to know more on the XSS please visit these blogs to understand it deeper Securing SAP Systems from XSS vulnerabilities … | SCN
But why we should care about it?
SuccessFactors provide best practice security at the all levels and one of the most secure cloud solution in this market today. SAP’s comprehensive approach at the physical, database, middleware, application, and network & communication layers builds security into every aspect of the business.
We are also aware that SAP HANA Cloud Platform (HCP) also provide the possibilities for SuccessFactors extensions where customers and partners can extend the SuccessFactors applications scope and reach. It could be achieve through different extension layers and one of the layer is definitely the front end which could be expose to XSS.
So whenever there is a provision to XSS attacks like above where customers/partners going for their own applications it is always necessary from our perspective to take extra careful measures as these extended applications may not fully secured with SuccessFactor’s security mechanism. And there is nothing harm in learning every aspects of security like handling vulnerabilities as well so that we can provide better secure solution in the future.