Skip to content

SAP Security: The Responsibility of security vendors 

Responsibility of SAP security vendors regarding SAP Security

The news is full of information about vulnerabilities in software, so it is easy to lose track due to the number of reports. Even SAP customers are sometimes surprised by new serious vulnerabilities and by the installation of the patches being a challenge.  But what happens when a security solution becomes a problem? 

In this short text, we would like to provide a few insights into the mindset and thought process of an SAP security solution provider. 

Secure architecture

Security-by-design is often used as a buzzword, which means applying core security requirements in the earliest stage of the software build process, the design phase. Hence during the design process of a new product capability or feature, we do not only evaluate technical feasibility but also validate the security aspect, ensuring the architecture remains secure by design and the default delivery is safe. 

As an example, to ensure continuous security, one needs regular updates, which may affect both -software and detection signatures- to deal with the newest vulnerabilities. 

For both convenience and accuracy, the SecurityBridge platform – entirely running at customer premises- offers remote update capabilities. However, such an update does not require an active inbound connection to the customer’s system, and surely no remote maintenance access is required nor desired.  

Another core aspect of our solution offering is that no additional components (software & hardware) are required. SecurityBridge is an add-on that adds cybersecurity functionality to the SAP technology. 

So, our approach does not introduce any bolt-on software & hardware-based technology which may enlarge the attack surface in your network, such as virtual appliances, docker, etc. 

Furthermore, all SAP data (configuration, logs, topology maps, vulnerability findings, etc.) remains in the trusted technology stack of the SAP applications. This ensures that valuable and security-relevant information does not fall into the hands of threat actors.  

Such an architectural approach ensures that communication credentials (including password hashes) remain in the SAP system and continue being actively monitored by SecurityBridge. 

Our promise to SAP customers

We protect your information as rigorously as we protect our own. We will inform you promptly and transparently of any serious product vulnerability that may affect you. We will advise the affected parties to implement a final solution or an effective workaround until a solution is available. 

As a validated and certified software, SecurityBridge applies industry best practices to validate performance, scalability, usability, security, and functional operation before release packing and public delivery. We work with partners and independent security experts to verify our results. 

For questions on the SecurityBridge Information Security Policy, please contact us via: Security@SecurityBridge.com 

 Our responsible disclosure policy can be found here: https://securitybridge.com/resp-disclosure-policy/ 

Posted by

Ivan Mans
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webinar: SAP Security Baseline: Surviving an SAP Audit

With the recent increase in attention to SAP security from auditors, we decided to investigate SAP baselines. We took a closer look into what SAP baselines are, how they can help you, and how to survive an audit.

Innovator für SAP-Sicherheit: SecurityBridge auf den DSAG-Technologietagen 2023

DSAG-Technologietage, das bedeutet traditionell: Wissensaustausch unter Technologen und Technologiebegeisterten. „Work in progress“ lautet das diesjährige Motto (22.- 23. März 2023, Congress Center Rosengarten, Mannheim). SecurityBridge nimmt die DSAG beim Wort und veranstaltet zusammen mit seinem Partner cbs Corporate Business Solutions Unternehmensberatung GmbH einen zweitägigen Hackathon, bei dem Studierende einen Prototyp für Security entwickeln können, unterstützt durch Coaches führender Beratungsunternehmen.
SAP security by design
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought. SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
coding
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user's click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
Management Dashboard
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security. The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.
Hacker mining SAPsecurity
SAP Cybersecurity- SAP Vulnerability
In recent years, cyberattacks against SAP systems have become more common, with attackers gaining network access and then exploring critical applications through port scanning and script-based exploration. Two examples of such attacks that use the SAP RFC SDK are the password lock attack and the password spray attack. In this article, we will outline how to detect these script-based attacks against SAP.