“Too little, too late” was a recent comment I read on LinkedIn pertaining to the Bug Bounty program(s) that SAP has been offering since 2018. Though there were some easily discovered flaws in the argumentation of the seasoned SAP security researcher who provided the quote, it mirrors the perception of many people dealing with SAP and SAP security specifically.
Frankly, until I joined SAP, I was guilty of the same trail of thought. However, this has changed since I joined SAP. Specifically because I am one of those responsible for ensuring the security of SAP solutions, I can confidently say that customers do not need to worry that SAP is not investing enough into security, at all levels. Nevertheless, it is true that SAP can improve on one aspect: sharing our daily work to improve confidence in the security of SAP’s solution portfolio. With this post, we’d like to start a series of articles which give you a behind-the-scenes look into the effort SAP puts behind the security of our core product: SAP S/4HANA.
External Security verification for SAP S/4HANA
And, since we’re at it, we’ll start with the Bug Bounty Program for SAP S/4HANA. Now, I won’t go into much detail about what the program itself incorporates – that has been covered by the blog post which I mentioned earlier. However, I would like to talk about how the program has brought increased security to the SAP S/4HANA solution.
Obviously, the objective of the Bug Bounty program for SAP S/4HANA was set clearly: Establish an external security verification platform for SAP S/4HANA and leverage the synergy and knowledge of crowdsourced security testing. To achieve this, we set up a managed (and for sure hardened) SAP S/4HANA on premise appliance, running on a hyperscaler and challenged the external researchers try their best to find vulnerabilities.
Of course we ran into some challenges and learned as we walked. Starting with the fact that the setup comprised an on-premise system running in a cloud environment. On the other hand, the results proved that it was worth the while. The program went live in late 2019 and has been running continuously ever since. And even in comparison to the overall numbers of bug bounty programs, the SAP S/4HANA program proved to be attractive for researchers: about 2/3 of all researchers who were enlisted in bug bounty programs with SAP totaled up to about 50k$ in bounty rewards over a 12 month time period. Out of all the submissions, about 70% were true positives, which also shows the quality of research conducted.
The benefits in knowing your weaknesses
Breaking down the vulnerabilities, there were some interesting findings, with Cross Site scripting having a major share in vulnerabilities found:
For the SAP S/4HANA security team, the program showed quite a few benefits. Firstly, understanding the concept and setting up of a bug bounty and its benefits was a major takeaway for the team – the fact that we’ve been continuing and increasing the scope of the bug bounty programs gives proof to this. Additionally, the popularity among the researchers gave a higher coverage and resulted in a high rate of valid findings. This was especially since due to the broad knowledge of the external researchers, experts in specific vulnerabilities and security topics were evaluating both the application itself as well as the environment it interacts with.
From an internal SAP perspective the experience gained with bug bounties and how to set them up in a appealing manner for bounty hunters already helped the the onboarding of further solutions within SAP offering similar programs. In addition and most importantly, the bug bounty program for SAP S/4HANA enabled a continuous security verification, even post general availability, with a high external visibility. Nevertheless, applying selective and strict process rules for the program in close cooperation with the bug bounty platform, we greatly minimized the risk of public disclosure of found vulnerabilities.
The holistic security approach
While the program itself did not reveal major security flaws, it helped us fine tune the existing measures and showed us where we need to focus on in the future. In other words, developing and running the program helped SAP increasing the overall security for SAP S/4HANA – and since we look at security holistically, this benefits not only the security of the application in scope – SAP S/4HANA on premise – but also the cloud solution offerings for SAP S/4HANA as well as eventually the security of all SAP solutions.
Holistic secure software and operations development is a journey ongoing at SAP since the early days. Bug Bounty is a item in the bucket list of this journey and we keep exploring.