At Virtual Forge, we have a deep knowledge and understanding of SAP security. For example, in our 2016 Business Code Quality Benchmark report, we found that for every 1,000 lines of SAP code (and there are on average 1.9 million lines of code per SAP customer system), there are 1.1 critical security flaws.
Add those up and any given enterprise organization can have a pretty big backlog of security vulnerabilities – around 2,151 per SAP system – that need to be fixed.
Unfortunately, there’s only twenty-four hours in a day and sometimes even the best of intentions can’t tackle that many security issues at once and prioritization becomes key.
Why are there so many critical security flaws in SAP applications and how can you mitigate these security vulnerability risks in your own organization’s code? For starters, these security vulnerabilities tend to happen in custom SAP code, which accounts for the vast majority of enterprise SAP applications.
Oftentimes, companies are unclear on whose responsibility it is to ensure that any security weaknesses are identified and fixed before the applications go live.
And unfortunately, many organizations fail to realize that it is, in fact, their responsibility to check for these types of security flaws. This obviously creates some pretty major security and compliance issues for companies, so let’s talk about what types of risks are the most common for SAP code.
Security and Compliance
Security and compliance vulnerabilities are usually the most immediate concerns for enterprise organizations, given the potential risks associated with cybersecurity attacks that can be used to exploit a security vulnerability within an SAP application. From our research, we identified five of the most common security and compliance code issues:
- Authorization Flaw
- Directory Traversal
- Direct Database Modification
- Cross-Client Acces
- Open SQL Injection
Out of a standard SAP system with an approximate 1.9 million lines of code, there are 2,197 critical security and compliance vulnerabilities.
Any one of these can have serious bottom-line repercussions on a company, but even more worrisome is that out of those 2,197 security issues, 16 are so severe that they can result in a total system compromise if just one of those vulnerabilities is exploited by a hacker.
We’re talking about an outsider gaining full access to all sensitive business data from exploiting just one of these 16 severe security issues.
Even worse, we found a high probability of backdoors in SAP systems, with 68% of them lacking proper authority checks.
Cybersecurity is fast becoming one of the primary focuses for enterprise organizations – and not just within the IT department.
The rash of high-profile cybersecurity attacks over the past year has brought this issue to the forefront with the C-Suite and the Board of Directors, many of whom are beginning to better understand the risks involved with not investing in IT security, improved IT infrastructure, and SAP application security.
Unfortunately, many organizations still have a long way to go when it comes to improving SAP code quality.