Practical advice for SAP security

Segment, restrict, encrypt, enforce, change, harden, update...

99.9% of the time MWR can successfully compromise the SAP systems that we are contracted to assess. Almost always, this would not have been possible had standard best practice defensive measures been implemented.

Each time I deliver a presentation at a conference, briefing or client meeting on the security of the SAP platform, I am asked the same question: “What practical advice can you give to remediate and/or mitigate the threat of compromise?” This advice is compiled and presented in the assessment reports delivered to clients at the end of an engagement, where we have been able to compromise the SAP system.

To answer that question here, there are a number of resources and guides available from SAP, Microsoft, OWASP, etc., that can help you to design, implement, configure and/or deploy secureSAP systems, some of which are presented below:

Additionally, resources such as the OWASP EAS Project can be of help.

This last project is very much in its infancy, but it can be a useful resource and one to watch. The same may be said of the Business Application Security Initiative, a non-profit organisation that focuses on security defects in business applications (including SAP).

The truth of the matter, however, is that SAP is no different from any other interconnected business system. Traditional network and application testing tool sets/methodologies are just as applicable to SAP systems, and network and application security best practices/principles are just as relevant. There are naturally some application technologies, system specifics and protocol idiosyncrasies that you need to be familiar with. However, for the most part the advice given (at a high level) to secure a SAP system is no different from that which is given when looking to secure a typical network, application or system.

Prohibit unauthorised access, prevent privilege abuse

Principally, the functions that SAP and interconnected systems provide must prohibit unauthenticated and unauthorised access. The operating systems and supporting databases that constitute the ‘core business’ infrastructure should also prevent such access.

In addition, authenticated and authorised users should be prohibited from abusing their privileges to circumvent security controls. 
Finally, the systems authorisation model must enforce ‘business logic’ rules and ensure the principles of ‘least privilege’ and ‘segregation of duty’ are adhered to.

In essence this translates into the following practical advice:

  • Segment the network to isolate and control the attack paths
  • Restrict all communication channels to those that explicitly require access
  • Encrypt ALL communication channels
  • Change default application, database and operating system usernames and passwords
  • Enforce strong authentication
  • Harden the configuration of all services in line with security guides, SAP notes and recommendations from security practitioners
  • Patch and regularly update the applications, databases and operating systems

To maintain a level of security and ensure ongoing security maintenance of large estates, organisations with mature security programmes can leverage automated vulnerability software suites to help them identify resident vulnerabilities and security defects. 
Traditional security vulnerability scanners, such as Nessus, a popular security scanner, aren’t “SAP aware”.

However, there are two very good SAP certified products, that are capable of performing automated security assessment of SAP systems – ERP-SCAN and X1.

Once you are satisfied that the system has been hardened and are reasonably confident that you have done all that you could have done to protect your ‘crown jewels’, the SAP system (and interconnected systems) should be subjected to an assessment that includes (but is not limited to) a benchmark against the BIZEC TEC11.

The BIZEC TEC/11 lists the most common and most critical security defects and threats affecting the Business Runtime layer of SAP platforms. The list is sorted, with each element having a criticality, either Very High (V) or High (H), and indicating whether it is a Rare® or Common © problem, helping organisations to prioritise remediation measures.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.