Skip to content

SecurityBridge Unveils Its New Security Roadmap For SAP

Security & Compliance - Roadmap

Company Blog Details How To Decrease SAP Attack Surfaces If No Patches Are Available

Ingolstadt, Germany, February 7, 2022 – SAP security provider SecurityBridge—now operating in the U.S.,—today announced its new Security Roadmap for SAP. The new feature simplifies the road to SAP security e.g. secure configuration, hardening against hackers, and eliminating SAP vulnerabilities, by enabling IT personnel to instantly group all required software fixes into one area. These SAP patches are automatically prioritized with a red, yellow, green “traffic-light” pattern so the most vulnerable issues are quickly addressed and not overlooked among the ever-growing list of security patches to implement.  For more insights on how to reduce SAP threats read, “Understand and Reduce the Attack Surface.

On the second Tuesday of every month, SAP releases a list of security patches to help protect its software from malicious hacking attempts. The list of recommended patches can quickly accumulate causing IT personnel to lose track of the most crucial vulnerabilities as well as documenting the process of SAP patch analyzing, testing, and installing. As part of the SecurityBridge Platform, the new Security Roadmap for SAP not only has the ability to evaluate the resolution complexity of any security issue—as well as the probability of exploitation—but also group these patches in a logical hierarchy of importance. In addition, the Security Roadmap enhances the Security & Compliance Monitor that supports users to:

  • Customize their own SAP Security baselines.
  • Combine information from other platform sources and the online KB.
  • Obtain insights on what may be missingnew SAP severity notes.
  • Jump to patch managementsupplement data to a risk tool.
  • Experience a 360° view of activities and detected vulnerabilities to understand the impact in SAP
  • Create incidents from a finding, containing all information to report and initiate the remediation and document the status.

“The best solution to a complex problem is often based on a simple idea,” said Christoph Nagy, CEO, SecurityBridge. “Given today’s unceasing corporate hacker environment, IT personnel must stay current on known SAP security issues and apply the recommended patches in a timely manner. SecurityBridge’s Roadmap for SAP utilizes a modern and structured SAP Fiori UI to bridge any communication gaps between IT stakeholders helping them to identify and categorize risks so vulnerabilities are remediated through a documented and logical mitigation process.”

SAP Zero-Day Exploitation
A zero-day vulnerability is a vulnerability (often a software flaw) that has been disclosed but is not yet patched. The Log4j vulnerability, for example—characterized as the single biggest, most critical vulnerability of the last decade—was identified in November 2021, made public in December 2021, but existed unnoticed since 2013!

February 8th, 2022, another SAP Security Patch Day and new security patches were revealed by SAP. This event always starts the race between attackers and defenders—where defenders only win by installing the patch before the exploitation. However, even with this combined effort, Zero-Days can’t be eliminated. 

As no patch is available for a Zero-Day scenario, there are a number of options companies may consider to protect themselves:

  1. Reduce the attack vectors, any connection point such as SAP Internet Communication Framework (ICF) services that are not used or needed, must be deactivated. 
  2. Software components that do not serve a distinct purpose must be at least deactivated. For example, most SAP customers still run at least one SAP NetWeaver system where client 066 exists—this is no longer needed. 
  3. Harden the SAP system, ensure the system is securely configured using a best practice and industry-proven security baseline.
  4. The recent Log4j incident and also the older RECON release, have proven that vulnerabilities exist for a long period of time without being noticed. Constant SAP system security monitoring is a key action to protect against severe damage.

Posted by

Till Pleyer
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
DSAG Jahreskongress 2023
Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
SAP security Patch day
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.