SAP Cyber Security in Figures. Global Threat Report

Nowadays, SAP cybersecurity is in the public eye. Nonetheless, this topic attracted researchers’ attention almost 10 years ago. SAP Security experts delivered numerous presentations on SAP cybersecurity covering a wide range of subjects, from various attacks on ERP systems, SAP HANA, SAP Mobile solutions to specific issues related to Oil and Gas or Manufacturing industries. However, when it comes to securing a real SAP environment, nobody is in charge of the security of the most critical system elements.

To help SAP customers solve this difficulty, ERPScan releases a comprehensive research of SAP Security each year. The annual report provides a high-level overview of the topic. As SAP Security is complex in itself, so the research takes into account different perspective, namely SAP Product Security, SAP Implementation Security, and SAP Security Awareness.

Key Findings

SAP Product Security

  • The average number of security patches for SAP products per year has slightly decreased.

    Nonetheless, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one. The new approach simplifies patching process since system administrators need to implement a fewer number of updates. However, it complicates analysis and correlation with CVE, as SAP doesn’t provide any public information about how many vulnerabilities every patch fixes.

  • The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA.

    Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). If any of these vulnerabilities is exploited by a hacker, the world’s economy will face dreadful consequences. For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affects 6000+ SAP HANA users.

  • There are vulnerabilities in almost every SAP module; CRM, EP, and SRM are leaders among them.

    Without a doubt, cybersecurity level varies from module to module. According to our study, the most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps. The traditional SAP modules like ones mentioned before were introduced about two dozens of years ago, but the first vulnerabilities were discovered just several years ago, i.e. SAP HANA and SAP Mobile apps attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional ones.

  • The number of vulnerabilities in industry-specific solutions has grown significantly.

    SAP has a set of products designed for particular industries. More than 160 vulnerabilities have been detected in the Industry solutions. The most susceptible types of industry solutions are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.

SAP Implementation Security

  • Threat landscape is growing worldwide affecting 36000 systems.

    It is increasing especially in countries, which are unaware of SAP Cybersecurity. Almost 36000 SAP Systems were identified including different services vulnerable to cyberattacks. Most of those services (69%) should not be exposed directly to the Internet.

  • Consequences of the incidents are becoming more and more dramatic.

    We stated in 2013 that the interest in SAP platform security was growing exponentially. We predicted that SAP systems could become a target both for direct attacks (e. g. APT) and for mass exploitation because a range of simply exploitable and widely installed services accessible from the Internet. Since 2013, we have witnessed 4 major cyber incidents related to SAP Security.

  • Critical IoT Infrastructure is at risks.

    SAP does not only manage enterprise resources but also acts as a mediator between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical infrastructure.

SAP Security Awareness

  • Almost half of unnecessarily exposed services is located in 3 countries

    Numerous unnecessarily exposed services are implemented in countries where wide adoption of new technologies takes place (such as USA, India, and China).

  • The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services (Comparing to the total number of implemented systems).

    Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERPScan is proud to be invited to speak in 25 different countries across 6 continents including such places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security awareness worldwide.

  • The Previous report helped to decrease the number of exposed SAP systems with critical issues

    While the number of publicly available SAP Services is growing, the number of systems with high-critical vulnerabilities in easily accessible services presented in the previous report has decreased, we hope, not least due to our previous SAP Security in Figures research released in 2013. However, new issues with equal criticality were described in this report.

Register for the webinar


Download report

Already secured

Check clients