SAP Systems: Managing Your Vulnerabilities

For all businesses integrating mission-critical environments such as SAP, security is a major concern. To meet this challenge effectively, oXya and its partner Cyberwatch have co-developed a solution to ensure the continuous security of your SAP systems. In this article, we discuss vulnerability management with Matthieu Petitprez, Chief Technology Officer at oXya and Maxime Alay-Eddine, Managing Director of Cyberwatch.

SAP System Vulnerabilities: The Key Issues

All IT systems have their vulnerabilities. These weaknesses are open to being exploited by attackers with the goal of impairing the proper functioning of your systems and undermining data integrity. In the case of mission-critical systems like SAP, these vulnerabilities constitute a considerable risk for organizations: a successful cyberattack can have devastating consequences.

Poor management of SAP system vulnerabilities leads to a greater risk of unauthorized access to and hacking of your SAP data, which can be read by third parties without your knowledge, and modified or even deleted. Cyber attacks do not always target your SAP data directly, as hackers may prefer to focus on accessing your operating system via the SAP SIDadm user with the aim of executing malicious code or deleting data. For Matthieu Petitprez, CTO at oXya, “it is important to keep in mind that the more vulnerabilities hackers exploit, the more control they will have over your system, which will intensify the effects of an attack when it is launched.” This is why having a continuous overview of the vulnerabilities in your SAP system is necessary to be able to manage them effectively and appropriately.

How To Manage SAP Vulnerabilities

“Securing your SAP system means taking into account the risks associated with the ERP’s composite environment, which is made up of different layers: infrastructure, operating system, databases, kernel and packages. These different layers, each of which contains its own share of software and code, are potentially open to vulnerabilities,” warns Matthieu Petitprez. To secure your entire SAP system, you will therefore need to contact the publisher of each embedded solution on each of these different layers to find out about their vulnerabilities and be able to protect yourself from them. “Once all this information is obtained, it still needs to be contextualized and ranked according to priority, which is an extremely time-consuming task for IT teams,” explains Maxime Alay-Eddine, Managing Director of Cyberwatch. After detecting, identifying and prioritizing these vulnerabilities, you still need to correct them.

How to stay informed and what actions to take

SAP publishes security notes on critical vulnerabilities in real time. These publications only concern SAP vulnerabilities and therefore exclude any vulnerabilities of other providers in the ecosystem. A summary of both critical and less critical vulnerabilities, the SAP Patch Day Blog, is also made available by the publisher every second Tuesday of the month. “It should be noted that, as no standards exist for describing vulnerabilities, each solution provider is free to present this information as they wish, which further complicates the work of IT teams in this area. For example, SAP security notes are particularly detailed with references to lots of other notes,” says Matthieu Petitprez. Once the CVEs (Common Vulnerabilities and Exposures) have been identified, you will need to carry out an applicability assessment and an impact assessment before applying the security note. Note that, even if they do not contain any data, test environments may also contain vulnerabilities and therefore allow access to your OS, which is why you need to ensure that they are secure!

Complex monitoring of SAP vulnerabilities

Monitoring vulnerabilities via the SAP Patch Day Blog, your me.sap.com portal, or Solution Manager can be tricky. These solutions do not always provide optimal filtering for your system’s needs and configuration, which makes your monitoring all the more complex.

Simplified Vulnerability Management With oXya Solutions

SAP vulnerability management can be automated to achieve continuous system security by assigning severity scores (CVSS) and exploitability scores to vulnerabilities, and by checking their presence in regulatory catalogues.

A solution integrated to oXya services

Thanks to an SAP module co-developed with Cyberwatch, oXya continuously monitors new SAP notifications and automates vulnerability processing, taking your business’s specific environment into account. This means that every hour, the module retrieves the notes published by SAP on me.sap.com and clarifies them by extracting important information (CVE concerned, impacted component, SP needed for correction). Once this has been done, the oXya/Cyberwatch solution then compares this information and your configurations to check whether the published vulnerabilities have an impact on your organization. After taking the technical context into account, particularly the exploitability score, oXya is also able, as part of its managed services, to define priorities in vulnerability management according to your business context. What is the aim of this? To issue recommendations tailored to your needs. The corrective measures can then be deployed by you or by oXya. During this automated process, available to all oXya customers, confidentiality is guaranteed, as Cyberwatch does not have access to your data.

An application created for all SAP clients

If your organization is not an oXya customer, you may use the vulnerability management solution co-developed by Cyberwatch and oXya in its “application” version. “Via the SAP store, you can access the ‘Vulnerability Management by oXya’ application, an easy-to-implement solution that gives you a centralized view of your SAP instances and their vulnerabilities with continuously updated data and direct access to SAP Notes,” says Matthieu Petitprez. In order to use this application deployed on BTP, your business just needs to be equipped with a Cloud Connector.

This application allows your teams to check your system’s vulnerability coverage at any time via several dashboards showing details of vulnerabilities and the technologies deployed, as well as their version (SP) per instance, the details of patching to be carried out, and the security notes to be applied. In a single platform, you have access to all management information for your SAP landscape. An easy, effective and efficient way to manage your SAP vulnerabilities, at last!

At oXya, cybersecurity is one of our key strategic pillars. At the core of our mission is a commitment to provide secure services and to protect your systems on a daily basis. Holding ISO 27001 certification, oXya guarantees the integrity, confidentiality, and availability of your data 24/7, with full traceability of all our operations on your systems.

To find out more about cybersecurity at oXya, click here: Security – oXya