There are many methods for assessing the risk potential of SAP landscapes and identifying potential vulnerabilities, so it isn’t always easy to keep track of all the alternatives. Options range from vulnerability scans to audits and penetration tests. But which approach is the right one for identifying vulnerabilities depends entirely on your individual requirements.
Vulnerability Scan: Comprehensive overview of existing vulnerabilities.
A variety of approaches, each with different focuses, can be used to derive a statement regarding the security level of an SAP system or system landscape.
One method of doing this is vulnerability scans – sometimes also called vulnerability assessments.
In this approach, SAP systems are scanned for known vulnerabilities, in an automated or semi-automated process, and the results are listed in a tabular report. In the simplest case, this can involve a list of security-relevant parameters from an SAP application server, but without any further assessment. The individual vulnerabilities in this simple list are not verified whether these vulnerabilities could be exploited, as is the case in a penetration test (more about that below).
Furthermore, some of the identified vulnerabilities might be false positives – meaning vulnerabilities that are listed, but do not pose a risk in the current system context or are due to system engineering details.
Regular vulnerability scans are essential to guaranteeing information security in general and should be repeated periodically. In addition to incorrect parameter settings on SAP application servers, vulnerability scans can also detect problems like missing patches, outdated logs, and obsolete certificates and services, for example.
Security & Compliance Audit: A thorough, comprehensive review.
A Security & Compliance Audit provides an extensive, formal overview of the security in systems, along with the security-relevant processes within a company. As such, an SAP audit represents a more thorough and comprehensive examination. In addition to physical aspects, such as the network architecture and security of the operating platform and application server, a security audit also involves reviewing and testing the current security concepts, for example, including aspects such as SAP authorizations and the handling of emergency users. From a methodological perspective, an audit also includes a vulnerability scan. In addition, the results are assessed in the context of the respective system environment and false positives are removed. As such, the resulting recommendations for safeguarding SAP systems are much comprehensive and contain deeper insights than is possible in a vulnerability scan report. Accordingly, when it comes to safeguarding SAP systems, the informative value of a Security & Compliance Audit goes far beyond that of a simple vulnerability scan, because the results also include an assessment, evaluated in the context of the specific company’s system environment, that is summarized in a comprehensive report. We recommend audits as initial preparation and after completion of hardening measures as well as in the context of a system or platform migration.
Penetration Test: Identifying vulnerabilities through targeted intrusion attempts.
In contrast, a penetration test attempts to actively exploit vulnerabilities in a system environment. While vulnerability scans run almost fully automated, this kind of test requires deep expertise and tools from a variety of areas.
A penetration test requires extensive planning with regard to the methods and tools that will be used, as well as its ultimate goal. The main objective of a pen test is to identify insecure business processes, missing security settings, or other vulnerabilities that an intruder could exploit. The transmission of unencrypted passwords, reuse of standard passwords, and forgotten databases containing valid user logon information are just a few examples of problems that a pen test might reveal. Penetration tests do not have to be carried out as often as vulnerability scans, but we do recommend repeating them at regular intervals.
Normally, pen tests should be carried out by a third party instead of internal employees, to get an objective overview of the network environment and avoid conflicts of interest. The effectiveness of this type of test is highly dependent on the tester, who needs to have broad, far-reaching experience with information technology – ideally in the company’s business sector. In addition to a focus on completeness and knowing how and why a company’s system environment could be at risk, the ability to use abstract thinking patterns and anticipate the behavior of threat actors are key skills for carrying out this activity.
At a glance: Vulnerability Scans, Audits, and Penetration Tests compared.
Table 1. Comparison of vulnerability scans, audits, and penetration tests.
Find vulnerabilities before they start to hurt!
An analysis of the security level of your SAP systems can employ a variety of methods, decisive for success is the respective focus and individual objectives. This is because all testing, from scanning for vulnerabilities to deep penetration tests, are crucial elements of a comprehensive security strategy.
We will be happy to advise you on the planning and implementation of the ideal SAP security check for your requirements. For reliable analysis and documentations we use the proven SAST SUITE. No software licensing is required for the duration of the test period.
You can also learn more about the topic in our webinar “SAP security & compliance audits: find your vulnerabilities before you get hurt“, we will be happy to provide you with the recording: https://t1p.de/9513v
Axel Giese (SAP Security Consulting, SAST SOLUTIONS)
Further contributions of the topic: