The Onapsis Security Blog

The world of business-critical application security and compliance is dynamic, with new developments happening on a continuous basis. Read our blog posts for recommendations, insights and observations on the latest news for safeguarding your SAP® and Oracle® applications.

Sapphire Blog Banner

Key Takeaways from SAP Sapphire Conference

Last week, I attended the SAP Sapphire Conference, run by America’s SAP Users’ Group (ASUG), as a first-time attendee. Here are a few of the themes I saw dominating the conference.

THE INTELLIGENT ENTERPRISE & SAP S/4HANA

SAP is making significant investments in providing more data to ensure that you’re “making decisions without doubt.” In one of the keynotes, they showcased a financial system using the new HANA database. 

As you can imagine, the SAP S/4HANA migration (in either flavor of on-premises or cloud), dominated many conversations, even though the deadline imposed by SAP to run on this innovative “in-memory” database isn’t until 2025. The road to S/4HANA will not be easy, but it is designed with simplicity in mind. The new database also promises better governance, flexibility, cost control and technical independence. One of their main objectives is to ensure that a fault in a system will never result in a system failure.

 

SAP is aiming to be an even more data-driven company, decreasing the divide of analytics. They’re using machine learning and artificial intelligence. For example, in their SAP analytics cloud business, they’re doing one release a day, shifting their priority from fixing code to developing code. The speed of innovation has to increase and for SAP cloud is the way. 

SAP also recently acquired Qualtrics, a software vendor focusing on operational data. In their keynote, they discussed finding a solution for complex problems, setting priorities so you can execute appropriately and using  data to help drive the right questions

THE CYBER RISKS AFFECTING SAP APPLICATIONS

The U.S. Department of Homeland Security (DHS) has issued three alerts about malicious cyber activity targeting ERP systems to obtain access to sensitive information—one in 2016, one in 2018 and the latest one in April 2019, just a week before Sapphire.  

The April 2019 DHS alert was issued in response to new exploits targeting SAP business applications that were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP and Onapsis in the past, their public release significantly increases the risk of successful cyberattacks against SAP implementations globally. Onapsis estimates these exploits, coined 10KBLAZE, could affect 9 out of 10 SAP systems for more than 50,000 customers worldwide. To understand the impact on your organization, download this threat report. Tim McKnight, SAP’s chief security officer, and Mariano Nunez, Onapsis’s chief executive officer, were interviewed regarding 10KBLAZE; read their thoughts in this article

The 2018 alert was prompted by research showing a 100% increase of public exploits for SAP and Oracle EBS applications since 2015. This research identified the exchange of detailed information on SAP vulnerabilities over criminal fora, including that over 17,000 ERP applications from large public/private organizations that are directly connected to the internet. The 2016 alert specified the Invoker Servlet vulnerability and urged organizations to apply proper patches to prevent remote attackers full access to SAP platforms.

An attack on your SAP applications would have a devastating impact on your organization’s financial well-being and reputation, yet security remains a blind spot as they are commonly out of scope for security teams. The opportunity exists for the SAP BASIS and IT operations teams to be proactive when managing these applications, including the handling of patching and security incidents, especially as their primary focus continues to be on availability and uptime. 

Visibility is critical to detect misconfigurations and vulnerabilities in systems and code, concerning internal misuse and external attacks, and to find compliance violations and unauthorized change. Traditional cybersecurity investments have focused on defending the perimeter and do not focus on the ERP application layer. Likewise, the tools that ERP vendors provide are not purpose-built for security or compliance, thus are complex and cumbersome to maintain, manage and use. This is not only unsustainable, but there is a lack of independent control or governance in managing risk in such systems. 

DIVERSITY AND INCLUSION

There was a lot of focus on supporting diversity and inclusion—as a minority woman, these are topics close to my heart. Did you know that SAP.io Foundries is the accelerator arm of SAP? Forty percent of the capital they invest in are by companies founded by women and diverse entrepreneurs. SAP also announced a partnership with Karlie Kloss to support women interested in coding and pursuing careers in computing. 

 

 

CONCLUSION

As a newbie, SAP Sapphire was a fabulous event. I really enjoyed engaging with many of Onapsis’s current and potential customers to help understand how our solutions can help them migrate to SAP S/4HANA with confidence, secure their core business applications, assure changes won’t disrupt operations and build a resilient organization. 

Did you attend the conference? If so, I would love to hear your thoughts and opinions.

Request a
Business Risk Illustration

Examine the security posture and risk exposure of your business-critical applications to determine the potential impact of a cyberattack on your organization.

Engage