7 most read blog posts of 2016

In 2016, we covered a range variety of topics from the analysis of cybersecurity incidents associated with business applications to practical advises on how to secure your system. We decided to begin the new year with an overview of the most popular ERPScan’s blog posts of 2016.

1. What is SAP Security?

It is rather funny, ERPScan has been dealing with SAP Security within almost 10 years but we had never devoted a special blog post to answer this question before. In this article, we considered SAP Security as a mix of 3 areas – Segregation of Duties, Custom Code Security, and Application platform security – and described every part in detail.

It turned out that many people taking their first steps in SAP security needed a short and simple answer to the question “What is SAP security?”. Hopefully, our article helps all SAP security novices.

2. Was it a real cyberattack on SAP using invoker servlet?

On May 11, 2016, the Department of Homeland Security published the first-ever US-CERT alert over SAP vulnerability. According to the statement, 36 organizations worldwide was attacked by assumed Chinese hackers by exploiting a security issue in SAP Invoker Servlet. This news immediately made the Cybersecurity headlines.

ERPScan research team conducted its own investigation that revealed that there was no proven evidence of the attacks. Nonetheless, the real picture turned out to be even worse – the number of the vulnerable systems available online is measured in hundreds.

3. SAP Security Notes June 2016 – Review

As you may know, SAP releases its set of security patches (Security Notes) on the monthly basis and we regularly conduct an analysis of the Notes. Every month, we highlight specific features of the batch that make this set of fixes remarkable. Some of these features are interesting only for SAP Security professionals, others can attract attention of wide audience.

SAP Security Notes of June 2016 definitely belong to the second group as the set of patches contains a vulnerability staying unpatched for 3 years while as a rule, it takes a vendor approximately 1-3 months to release a fix.

In particular, the vulnerability we are speaking about was reported about on the 20th of April, 2013. It means that it took SAP more than 3 years to fix the issue, which attracted the attention of the security media.

4. Oil and Gas Cybersecurity basics

In 2016, researchers from ERPScan warned that vulnerabilities in business applications can expose Oil and Gas companies to high-impact cyberattacks aiming to sabotage plant equipment and even cause physical damage. This topic was hot so we decided to begin a series of articles sharing our experience and understanding of processes as we saw them in a real environment.

The first post provides a fundamental piece of knowledge for those who are interested in learning more about the Oil and Gas Cybersecurity.

5. Oracle Critical Patch Update January 2016

Oracle releases its security patches (Oracle Critical Patch Update, or CPU) every quarter. On 19 of January, the vendor released the first CPU of the year addressing 248 vulnerabilities. The security media called it a monster patch because of the record-breaking number of security fixes. ERPScan research team was among the first experts who pointed out this feature.

However, it was just a beginning. Quarterly Oracle’s security updates keep getting bigger ( 253 in October and 276 in July).

6. SAP Cybersecurity history

2016 was a kind of 10-year anniversary of real SAP Security. To celebrate the date, we published a blog post covering milestones of SAP Cybersecurity research work.

Let’s trace the history of SAP Security – from locally known technical research papers to SAP Security news featured in the international media. We have collected all the significant moments in one article.

7. SAP Security for CISO. Part 4: SAP Security Myths

At the SourceBarcelona security conference in 2010, Alexander Polyakov (CTO at ERPScan) delivered his presentation ERP Security Myths, Problems, Solutions. As the title implies, he dispelled some the most common myths related to SAP Security.

Six years after the talk, we decided to gather all these misbeliefs in a blog post to debunk them once again since some of them still persist. Do you think that SAP Security is the vendor’s responsibility and business application internals are very specific and not known for hackers? If so, you should definitely read the blog post.


Stay tuned! In the new year, we will continue writing articles to help both security professionals and those who would like to learn more about business application security.

Do you want more?

Subscribe me to your mailing list