VirtualForge finds on average 16 holes in ABAP code for attackers to exploit. [Shutterstock: 380107090, scyther5]
The custom code found in the average customer's SAP system contains 16 highly critical security flaws – each of them waiting to be exploited by any hacker looking to seize full control of the system.
This was one of the findings produced by the latest Business Code Quality Benchmark from Virtual Forge, which examined over 300 SAP systems at companies of every size and industry around the world.
In its new study, the SAP security provider has released the most comprehensive analysis conducted thus far on the proportion and quality of the custom code in SAP systems. The insights Virtual Forge has gathered are based on a series of anonymized scans.
“What’s particularly alarming is that every set of customer code we looked at contained significantly more fatal errors than in years past,” reveals Dr. Markus Schumacher, CEO at Virtual Forge. “These are the vulnerabilities that expose companies to attacks.”
(…) contained significantly more fatal errors than in years past.
Hackers can exploit these holes to copy, modify, or delete entire datasets, or shutting down an SAP system. The resulting damage to a company’s livelihood can be substantial.
In addition, the benchmark reveals that conventional IT security measures such as firewalls and antivirus software are not enough to protect a company against errors in its own ABAP code.
Instead, organizations are better served by devising a long-term SAP security strategy that covers everything from the automatic identification and elimination of coding errors to ABAP security training for in-house developers and the inclusion of code quality standards in vendor contracts.
One good way for SAP customers to get started is to take part in Virtual Forge’s SAP Risk Assessment, as Schumacher explains: “In the end, every participant receives an audit report they can use as a basis for effectively addressing the errors in their custom developments.”
He continues: “Plenty of real-world examples have shown that this not only makes an SAP system more secure, but faster and much more stable, as well.”