While only in release candidate form, the current proposed changes to the OWASP Top 10 Application Security Risks provide clear guidance for any enterprise that needs to secure and protect their critical enterprise business applications. In general, the OWASP Top 10 and these two additions can be directly applied to an approach and methodology for securing ERP based business applications and systems.
As with the second Tuesday of every month, today SAP released its monthly Security Notes. This month, SAP published 19 new Security Notes, as well as a summary of 28 different notes including ones published last patch Tuesday. For a second month in a row, there’s a ‘Hot News’ item relating to Remote Code Execution.
We are just a few days away from the release of SAP’s April Security Notes. Since this past month included some of the most critical notes we have seen to date for SAP, we’d like to review a few things we saw in March to ensure we have everything fully covered before heading into April. It was an interesting month for SAP Security, as findings from our Researchers yielded the second ‘Hot News’ note to date for 2017. In addition however, there were some other important vulnerabilities published in March that were tagged as ‘High Priority’ and should be mitigated if present in SAP systems.
Today SAP release its monthly Security Notes, as they do the every second Tuesday of every month. Among the 27 SAP Security Notes published today, 5 of them are related to SAP HANA, and were originally reported by Onapsis Research Labs. One of them, note #2424173, is the only SAP Security Note tagged as Hot News this month as it solves several vulnerabilities in the Self Service component (disabled by default) that can allow an attacker to fully compromise the SAP HANA system without the need of credentials.
I’m pleased to announce that today we’re kicking off our third annual Onapsis Roadshow series in North America. With the major developments SAP cybersecurity has seen over the past few months, I feel like our roadshows could not have come at a better time.