Top 8 security mistakes in SAP environments

The complexity of modern SAP footprints and common security failures have left many organizations exposed to avoidable risks.

Configuration errors and other missteps, many of them well known for years, continue to undermine the security of enterprise SAP environments. The burgeoning complexity of SAP footprints is a big reason for the situation. Over the years, SAP applications have morphed and evolved and these days are connected to myriad other systems and applications.

The typical SAP environment consists of a lot of custom code and bespoke components communicating with each other and to external systems through various APIs and interfaces cobbled together over time. New code and protocols interact with legacy environments and inherit their security vulnerabilities and defects, says Juan Perez-Etchegoyen, CTO of Onapsis, a security vendor in the ERP space.

Changes to profiles, parameters and configurations are constantly being made to accommodate new business processes—but with little understanding of the underlying security implications, he notes. The sheer complexity of these environments has left them rife with security vulnerabilities.

The issue came into sharp focus earlier this year with the public release of a set of exploits targeting well-known configuration errors in two major SAP components. The exploits, collectively dubbed 10KBlaze, gave attackers a way to gain complete remote administrative control of SAP environments, and prompted an advisory from the US-CERT

Here are some of the most common configuration errors and security failures within enterprise SAP environments.

1. Misconfigured ACLs

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!