The analysis revealed that 2014 has seen an increase for SAP security vulnerabilities and exploits compared to 2013. Advanced threats targeting SAP systems that run business-critical applications are increasing at an accelerated rate. This year, there have been 391 security notes to date, with 46% ranking as ‘high priority’ vulnerabilities. Of these, the Onapsis Research Labs reported 44 vulnerabilities and 35 advisories affecting SAP platforms and related products such as SAP HANA, BusinessObjects, and SAP Business Suite running CRM and ERP.
Organizations use SAP BusinessObjects to track, analyze and report on business performance, while SAP BASIS is comprised of the administrative functionalities and processes which run SAP systems including the database, supporting architecture, and the user interface.
During 2014, some of the most critical vulnerabilities to make headlines and which also affected SAP platforms included HeartBleed (CVE-2014-0160), Shellshock (CVE-2014-6271), Poodle (CVE-2014-3566) and malware such as Zombie Zero. The proliferation of advanced threats was also prominent in 2013. This year was marked as ‘the rise of malware,’ with security concerns targeting SAP systems such as the Win32/Gamker Trojan which included basic reconnaissance of SAPGUI clients.
Mariano Nunez, CEO of Onapsis, said, “The security industry has never been more complex. As we enter the upcoming year, more and more organizations are putting in their strategies to either start or to continue migrating to the cloud. In 2015 there is no doubt that attackers will pursue vulnerabilities in key platforms. With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms must be protected both in the cloud and on end-user devices.”
“To help communicate these issues, our research is shared with vendors and partners, such as SAP, and trusted by users. With the state of the industry continuing on its current path, I would urge all SAP users to regularly check our advisories and the remedial steps we share to protect their company’s most important data in the upcoming year.” continued Nunez.
The Onapsis Security Advisories are publicly available at: http://www.onapsis.com/research/advisories.
Ezequiel Gutesman, and Juan Perez-Etchegoyen, CTO of Onapsis, will be hosting an exclusive analysis of 2014 SAP security vulnerabilities on Thursday, December 18th, 2014 at 1:00 P.M. EST. To register, please click here.
Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business– critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments.
Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Business-Critical Application Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms.
Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment.