SAP tends to make headlines somewhat infrequently when it comes to security issues, but a recent report from business application security research firm ERPScan indicated the number of vulnerable SAP systems is increasing. Vulnerabilities have also been detected in the company’s cloud, mobile and HANA offerings.
The report noted that 36,000 SAP systems worldwide are connected to the Internet, whereas 69 percent should not be directly connected to the Internet. It’s an issue that ERPScan’s report calls “unnecessarily exposed SAP services.” The United States leads the top 10 list of countries with the most unnecessarily vulnerable systems at 3,660, followed by India and China (which share second place).
According to ERPScan, interest in SAP cybersecurity has increased in recent years. SAP aims to educate its customer and partner base with a monthly security report.
The August report indicated a continuing growth in denial of service attacks against SAP systems. An Onapsis security blog post noted the August SAP security report showed the highest number of DoS attacks so far in 2016. When combined with the number of DoS vulnerabilities noted in the July report, there’s evidence of more DoS attacks in the last two months than in the entire first half of the year.
Based on the ERPScan report, security vulnerabilities are to be found just about everywhere within the SAP portfolio. The report indicated there are vulnerabilities in every module. The most vulnerable product category is SAP’s CRM portfolio, followed by Portal and SRM.
Part of the reason for the increase in vulnerabilities and growing interest in SAP security initiatives is the vendor’s forays into modern cloud and mobile technologies, the report noted. Both cloud and mobile are high on SAP’s priority list, but it also means increased risk. The company’s installed base means cloud and mobile vulnerabilities could affect thousands of multinational companies, the report indicated. Reported SAP Mobile issues could affect more than 1 million devices worldwide, the report stated.
The report paints a gloomy picture, offset by the fact that SAP’s regional talks on securing its systems have increased around the world.