#Interview of Dr. Roger Gutbrod, Head of SAP Security Research
- What are the main principles that drive the SAP strategy in that domain?
First of all, I would like to talk about SAP sales and the change of our sales pitches. In the past SAP convinced our customers with functions and features, mature and rich to support most industries. This has changed dramatically. And cloud business is a major driver for this change. When you talk to sales people or whoever is involved in sales deal, they will tell you that security comes first in sales. We first need to convince customers that our cloud services are secure. If we fail here, they will not look at our products at all. We must convince on security. SAP needs to bring this attitude to production and delivery. Security must come first in our software development and operations. But security requirements change a lot. Every day there is a new attack vector. SAP Security Research has a fundamental principle and mission:
“By building bridges between the scientific world and product development, we implement our goal of thinking ahead and preparing the way for product security at SAP”.
- What are the SAP activities in Security Research?
Every year we meet and discuss the priorities of our strategy. We currently have 8 domains identified, where we believe research is necessary to secure SAP’s and our customers’ future:
- We research on anonymization techniques to enable analysis and ML while considering customers trust in SAP.
- We take care of both managing security in Open source and the security in the software lifecycle process.
- With research on deceptive applications we want to enable self-defendable properties in SAP’s products.
- Applied cryptography has always been the most covered field in research on all conferences. We have this in our strategy as well.
- Since two years we added ML for security and securing ML to secure our Intelligent Enterprise.
- We recently add two further topics: Secure Internet of Things
- With Quantum Technology we have a research domain with long-term impact for SAP and all industries
- What are the missions of the SAP Security Research team?
On all our official brochures you will find a bridge on the cover. This has a purpose, because our misson is “By building bridges between the scientific world and product development, we implement our goal of thinking ahead and preparing the way for product security at SAP”. This means we need to consider both ends, the scientific, where we learn about new security threats and technologies to prevent them. On the other side is SAP’s product development, which we want to enable to become sustainably secure.
- How does the SAP Security Research identify new cybersecurity trends? How do you decide about the topics to investigate?
That is a really good question. We certainly have scientific conferences as input for cybersecurity trends, In addition we have annual workshops. We have just finished our 2019 workshop. There we review our strategy domains. Strategy experts explain the trends they have observed. We also include what we call “trend scouting”. Technology trends, as provided by Forrester, Gardner, IDX, Accenture and others are discussed. We want to see, what is in it for security. In addition, we have annual SAP Security Research seminar where we invite professors to discuss with us trend and possible approaches. The event this year took place in Mougins, with Tim McKnight, SAP’S CSO, as special guest. This year our workshop was expanded by additional requirements from the global Security Leadership team. They out in new trends they see and asked us, how Sap Security Research can help. One important trend, they brought in, is the transformation from Cyber Security Defense and Response to a broader scope, including cyber intelligence, which is called Cyber Fusion Center.
- Daily, how do the SAP Security Research team and Development organization collaborate?
I wouldn’t refer the collaboration with development organization to as a daily affair. Our approach is to bridge academia with product development. This means that we first need reasonable research results, before we get in contact with product owners. Transferring research results can be a time-consuming matter, where we also need additional development capacity to succeed. We collaborate with ICN to make these transfers of research results more effective.
- How does your team ensure that SAP’s products development and deployment respect sustainable security principles and processes?
Usually, the secure software development lifecycle s not a duty for SAP Security Research. We have a product security team, which is responsible of a product security standard – the guidelines for development, and a central security operations team, which takes care of security guidelines for deployment and secure operations. Both teams also consult the SecDevOps teams. Having that said, however, there are indeed research results, which end up in both standards. One example is Threat Modeling, which initially was researched by our team and the productized as secure Development Lifecycle. Furthermore we invented tools to automate secure processed. VULAS for vulnerability management in Open Source is another good example.
- How does SAP ensure the best security in its products?
As mentioned above, this is collaborative effort with the product security team and the security operations team. Our responsibility is to monitor novel approaches and new attack vectors and find solutions. SAP Security Research constantly think ahead and prepare a secure way for product development by using information sharing and education sessions. We regularly inform the security expert community via the exchange in the security expert JAM page discussions, give updates on trends and solutions in the bi-weekly security exchange sessions for experts at SAP. Besides, the annual d-kom and the SAP Security Expert Summit lives from the contributions from SAP Security Research.
- The annual SAP Security Research workshop just ends, what are the key takeaways?
This year, we had a really extraordinary intensive workshop. First, we used McKinsey’s 7S strategy concept to review SAP Security Research and adapt supporting factors to our strategy. Secondly, we assessed technology trends provided by Gardner, Forrester, IDC and others to look into probable security challenges. Thirdly, we reviewed our own strategy. Focus was an anonymization and applied crypto, where we achieved some maturity and discussed the second part of the bridge, how to make the results available for SAP product developments.
- What is the most important trend you are seeing coming in cybersecurity?
I see two to three trends, which we need to take care of. One is ML anywhere! ML itself provides a new attack vector which we need to secure. In addition, ML is used by attackers and so needs to be used by us to better defend our solutions. One example here is the incident process, where ML can help us to automate the processed and to identify new attack patterns. An extension from Cyber Security Defence and Response to a Cyper Fusion Center with integrated security intelligence is another example. Secondly, deceptive applications is another trends. Applications must be enabled to identify attackers and defend themselfes. With Tainting and SunDew we already have two proposals in our portfolio. Thirdly, still underestimated, we have the attacks via Open Source or Third-party software. While we still mature our open source processes at SAP to make open source usage secure, the next wave of attacks has started already. We see that malicious code is injected to make the supply chain vulnerable. We adapted our strategy to tackle those new trends.
- What are the main challenges facing the cybersecurity area today?
One main challenge is to balance the efforts for maturing the current cybersecurity operations to prevent attacks now with the efforts to invest in inventions to prevent new attacks, which will hit us in near future. We need to modernize the security incident management to handle the massive amount of data. We talk about terabyte of data which we have to analyze very day to identify attackers. We talk about 30 billion security events every month, which show up at our monitor. On the other side, we see new attack vectors, like the malicious code coming with open source to attack our supply chain infrastructure. SAP Security Research help with ML to automate the current operations, while research on solutions to prevent the new attack vectors. This is already a big load for al security teams. Identified, but not sufficiently handled by any company is the threat coming from social engineering and phishing. We need to integrate new experts, like psychologists, together with security experts to tackle those attacks. This is a completely unresearched and open field.
- How to deal with open source software integration while maintaining a high-level of security in SAP products?
This is indeed a big challenge. SAP like other companies use meanwhile 80% or more open source. We need to manage vulnerabilities in open source. SAP Security Research offers the VULAS tool, which meanwhile has ML components in it and contributed it as open source to the development community. Besides, we started research on new attack vectors as abovementioned. Preventing malicious code in open source to hijack our production and deployment infrastructure.
- What would your advice be to someone who would be willing to join the SAP Security Research team?
Our researchers in SAP Security Research are experts in at least one domain of security. Every security expert, who is curious about new threats and technologies, who is willing to constantly learn and has great ideas for novel solutions is welcome to our team.
|Each year, the SAP Security Research team organizes a workshop bringing together all the experts for a review of priorities. The 2019 edition was held from 9 to 11 of September with the aim of determining the major lines of research for 2020 and thus updating their public annual report. A workshop perfectly complementing the Security Seminar held in June with specialists from around the world and in presence of SAP Chief Security Officer Tim McKnight.|