SAP SRM Security

What is SAP SRM?

SAP Supplier Relationship Management (SRM), a part of SAP Business Suite, stands in line with the most widely-used systems around the world. Its main purposes are to optimize interaction with suppliers and to automate tender processing to the maximum extent.

Unauthorized access to the system can result in reputational risks and financial losses for the company. The most alarming fact is that this system is accessible through the Internet, which makes it a perfect target for remote attacks.

SAP SRM Security Risks

There are multiple risks related to SAP SRM systems. Some of them are listed below.

Competitors intelligence (Espionage)

With access to SAP SRM systems, unfair competitors can find pricing data and use it to reconsider their own pricing to win a tender. SAP Cfolders, which is an application for document exchange in SAP SRM, typically contains both vulnerabilities and misconfiguration issues. That makes it perfect for attackers as a means to access the contractors’ documents. A highly predictable consequence of its exploitation is a theft of official pricing information. The competitor’s documents can be completely removed from the systems, or the information might be manipulated in order to win a tender. We have successfully simulated this breach during penetration tests.

Theft of funds (Fraud)

With access to the procurement system, an attacker can falsify payment orders. Once it’s accepted by a front company, the money will be transferred to an arbitrary bank account.

Undermining reputation (Sabotage)

Access to the procurement system can be misused to undermine the company’s reputation. Breach of obligations, delayed payments and willful disregard of obligations – all of these can be achieved by simply removing or substituting information coming from the company to a supplier and vice versa.

SAP SRM Vulnerabilities

SAP SRM System uses SAP NetWeaver Application Server ABAP (AS ABAP) as its main platform. Thus, it is potentially exposed to all the vulnerabilities of the platform, which total to more than 1050. Plus, there are about 80 vulnerabilities specific to different modules of SAP SRM.

The typical examples of the SAP SRM vulnerabilities can be found in SAP Cfolders application (SAP Security Note 1284360 and 1292875). Most of the vulnerabilities enable unauthorized access with administrative rights to the documents stored inside the system.

How can our software help to ensure SAP SRM Security?

ERPScan Smart Cybersecurity Platform for SAP has a wide range of checks designed to discover security issues specific to SAP SRM Systems. The solution’s leading position in the field has been confirmed by multiple awards. This is the only SAP SE-certified solution on the market to identify, analyze and remediate all SAP security issues and to enable powerful protection against cyber-attacks and fraud. It embraces all the three tiers of SAP security: vulnerability management, source code review for custom programs and segregation of duties (SoD).