95% of SAP deployments 'vulnerable to cyber attacks'

Customer and supplier records could fall into hackers' hands, warns Onapsis

Over 95 per cent of SAP implementations have vulnerabilities exposing them to cyber attacks, it has been claimed.

While SAP disputes this claim as false, researchers from application security vendor Onapsis said they have found three serious flaws in the German tech giant's application layer.

These flaws could, if exploited, expose financial, credit card, customer and supplier data alongside intellectual property, the researchers said.

Advertisement - Article continues below

Analysing hundreds of companies' SAP systems, the firm found most of their patching windows were at least 18 months long.

This is despite SAP releasing 391 security patches in 2014 alone, averaging 30 a month, it added.

Mariano Nunez, Onapsis's co-founder, said: "The big surprise is that SAP cyber security is falling through the cracks at most companies due to a responsibility' gap between the SAP Operations team and the IT security team.

"Breaches are happening every day but still many CISOs don't know because they don't have visibility into their SAP applications."

The three attack vectors identified by Onapsis began with something known as pivoting, where a hacker breaches a lower security system to access a more critical system, from which they could steal customer information and credit card breaches.

Another was a backdoor discovered in the SAP J2EE User Management Engine, which hackers can exploit to access SAP portals and process integration platforms leading to customers and suppliers.

Advertisement - Article continues below
Advertisement - Article continues below

Third was database warehousing attacks performed through SAP proprietary protocols by abusing a user's privileges to execute operating system commands.

Onapsis claimed: "The hacker is able to obtain and potentially modify any business information stored in the SAP database."


In-memory data-processing engine HANA actually exacerbates the problems by 450 per cent if measured in security patch releases, according to Nunez.

He said: "With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on-premise."

In response, an SAP spokesperson accused Onapsis of "alienating SAP customers while promoting Onapsis's own products."

They added: "SAP stands for secure and reliable software solutions. As the global leader in business software, we take customer security seriously and implement the highest degree of product safety.

"Confidentiality, integrity, availability and data privacy are core values for SAP and its customers. SAP has a comprehensive product security strategy across the enterprise that rests on three pillars: Prevent  React Detect'.

Advertisement - Article continues below

"An important component of this strategy is the 'Secure Software Development Lifecycle' (SDL) which provides a comprehensive framework of processes, guidelines, tools and staff training.

"Thus, we are able to ensure that security software is an integral component when it comes to the architecture, design and implementation of SAP solutions."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020