All of us are familiar with the high profile corporate systems breaches that have taken place in recent years. With that in mind, have you ever considered that SAP® platforms are subject to similar attacks? While SAP managed for some time to stay out of the direct line of fire, it has increasingly become an attractive target for those who seek to exploit existing, and in some cases, long standing vulnerabilities for malicious purposes.
In the computing world, the term “hardening” is used to describe the attainment of security by reducing potential vulnerabilities. This concept is nothing new to the IT industry at large, and it’s become a mandatory and integral part of SAP maintenance. Intrusion mitigation efforts require technical knowledge of the full technology stack; ABAP/Java AS, database, operating system, and network. With that said, we’ve witnessed the evolution of a different facet of SAP security: Basis layer hardening.
In many cases, those who choose to attack SAP platforms have multiple points of entry, and many are geared to take advantage of SAP’s expanding Web-based footprint. Some of the more common and dangerous vulnerabilities include XSS (a client-side code injection technique that targets Web-based platforms), Directory Traversal (which can allow access outside of a Web server’s root directory), and Verb Tampering (targeting weak Web server access controls). These are just to name a few, and there are also vulnerabilities that exist in the more frequently inward facing ABAP stack.
The good news is that there are several ways in which an organization can protect its systems, and SAP has been quick to address susceptibility as threats have increased. One basic (and highly effective) measure comes in the form of Security Notes. Similar to traditional OSS correction Notes, Security Notes are written to address vulnerabilities within a wide range of areas, such as binary Java components, SAP kernel, ABAP code base, and more. While SAP categorizes threat levels using its own scale, Security Notes also contain Common Vulnerability Scoring System information, including a risk severity score, and vectors from which the score was derived. The standard report RSECNOTE can be executed within the ABAP stack to identify Security Notes that are applicable to a given system, and helps to identify those that address the most urgent gaps. Since SAP Security Notes are rolled in to standard Support Pack Stacks for both ABAP and Java, adhering to a regular patch cycle is no longer just a matter of maintenance, but a conscious effort to close security loopholes as well.
There are additional resources and services that can be utilized to address Basis layer security. Early Watch Alerts and SAP’s Secure Configuration guides are invaluable sources of information among others. With that said, the most important resource that an organization can leverage is a seasoned and vigilant Basis Consultant that knows what it takes to make today’s SAP platforms secure from threats.
For more information regarding Symmetry’s premier Basis Managed Services to keep your SAP environment stable and secure – visit our SAP Basis Managed Services page.
Learn how Symmetry’s Premier SAP Hosting and Managed Services can meet your SAP business requirements and receive a free assessment of your potential cost savings.