SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
As many of you know, the Onapsis Research Labs regularly releases security advisories detailing the latest known vulnerabilities on SAP applications. Recently, our team has discovered 10 new vulnerabilities that affect SAP HANA. Among these are two “high risk” vulnerabilities which could be used to abuse management interfaces, access corporate data or modify any system configurations, and render systems unusable.
Recently, I published a post on the SAP Security Gap. This post discussed the present disconnect between security professionals and business executives on the vulnerability of their SAP systems. With SAP Cyber-Security continuing to be a topic of concern making mainstream headlines, it is critical that organizations begin to think about this notion in more detail if they wish to truly secure their enterprise applications such as SAP or Oracle.
When talking about IT control standards, ISACA is one of the top reference organizations. For people in the “audit & controls” world, ISACA is a common word. For those who don’t know, ISACA is an independent, nonprofit organization focused on the development of industry-leading knowledge and practices for information systems. ISACA released a new version of its SAP security guide Security, Audit and Control Features – SAP ERP 4th Edition, which is a very complete guide to audit different processes in SAP from a technical point of view.