Thursday, 07 May 2015 10:13

Over 95% of SAP systems insecure, expected to increase with HANA


Onapsis Research has released study findings showing over 95% of systems assessed had vulnerabilities that could lead to compromised data and disruption of critical business processes.

Onapsis also determined the three most common attack vectors used for compromising SAP business systems at the application layer. These mechanisms place intellectual property, financial, credti card, customer, supplier, and database warehouse information all at risk for the world's largest companies.

Onapsis states its research is based on assessments of hundreds of SAP implementations, showing over 95% of installations were exposed to vulnerabilities. These vulnerabilities have potential for full compromise of the company's business data and process.

Onapsis also states its research finds most companies are exposed to protracted patching windows, averaging 18 months or more.

In 2014 SAP issued 391 security patches, averaging more than 30 per month. Almost 50% were ranked as high priority, yet according to Onapsis these are not being applied in a timely fashion by the vast majority of SAP sites.

SAP's reach cannot be underestimated. It is run by over 250,000 customers across the world, including 87% of Global 2000 companies and 98 of the 100 most-valued brands.

The research findings present the sobering realisation that vast volumes of global data are not protected from cyber threats.

Mariano Nunez, CEO and co-founder of Onapsis, states "The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a 'responsibility' gap between the SAP Operations team and the IT security team."

"The truth is," he stated, "most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day and most [Chief Information Security Officers] don't know because they don't have visibility into their SAP applications."

"Companies today are looking ahead at the opportunities presented by moving systems to the cloud, enabling user adoption through mobile devices and big data. The challenge is that most of these new possibilities rely on legacy systems such as SAP. In a connected world, it is essential that critical business applications be protected. Securing a company’s crown jewels is a board-level discussion. Information security professionals need to re-evaluate how SAP is protected from cybersecurity threats," said Renee Guttmann, Vice President, Office of the CISO, Accuvant.

The top three common cyber attack vectors revealed by Onapsis Research are:
1. customer and supplier portal attacks, where backdoor users are created in the SAP J2EE user management engine.

2. direct attacks through SAP proprietary protocols, exploiting vulnerabilities in the SAP RFC gateway

3. customer information and credit card breaches using pivoting between SAP systems, moving from a system with lower security to a critical system

Nunez states, "This trend is not only continuing, but exacerbating with SAP HANA, which has brought a 450% increase in new security patches specifically affecting this platform."

This news follows earlier research this week indicating 85% of SAP customers were not interested in moving to S/4HANA citing a large amount of work and expense to migrate for no clear return on investment.

Onapsis' findings now show that SAP HANA users who are not proactive with patching face risks both in the cloud and on-premises.

It should go without saying, but Global 2000 organisations running critical business processes in the SAP Business Suite solutions are urged to stay up to date with the latest SAP security notes, and to ensure systems are configured properly to meet compliance requirements and strengthened security. Companies need an action plan to add SAP security to the organisation's strategy and roadmap.


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.



Recent Comments