SAP Application Security Spotlighted at Black Hat DC

At the upcoming Black Hat DC conference, a security researcher is putting Web-enabled SAP applications in the line of fire.

With more and more SAP systems getting connected to the Web, the security landscape for many organizations is changing.

Just how much-and what those changes mean-will be highlighted at the upcoming Black Hat DC conference by Mariano Nu??ez Di Croce, director of research and development for Onapsis.

"If we think about the common goals and motivations of attackers-such as espionage, sabotage and/or fraud-we'll see that ERP systems and business-critical applications, such as SAP, have always been the natural target for them," Nu??ez Di Croce told eWEEK. "If someone is looking to access the most sensitive business information, these are the systems he would try to compromise."

More than a decade ago, most ERP systems were only used internally, he added. Today, many organizations need to provide real-time, remote business management capabilities and therefore end up connecting them to untrusted networks such as the Internet, he said.

"I found it astonishing to see how most large organizations invest huge resources into securing their IT infrastructure, such as networking devices, operating systems and Web applications, but are still not protecting their ERP systems properly," the researcher said. "Why would an attacker compromise a file server if he can obtain full control of the systems keeping the organization's crown jewels?"

In his presentation Jan.18, Nu??ez Di Croce is slated to explain how remote attackers can compromise different SAP Web components, and how those threats can be mitigated. In particular, he will detail an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations.

"In the briefing we are presenting vulnerabilities we have discovered in the Web components of SAP systems," he said. "One of them is a bypass in the authentication of SAP Enterprise Portals when using external authentication mechanisms, such as two-factor authentication solutions. High-profile organizations using this kind of authentication are trying to increase their security level. However, if they do not do this cautiously and follow SAP's security recommendations, they can be shooting themselves in the foot, enabling attackers to completely bypass authentication and take control of the system."

Traditionally, the security of these systems was only related to segregation of duties (SoD), he added.

"In 2011, that's not enough anymore," he said. "These systems feature their own technological frameworks, which may be susceptible of specific security vulnerabilities. If they are exploited, this can invalidate all the efforts invested into applying SoD controls. I think that organizations must now ... start auditing and securing their ERP systems holistically. SAP is also pushing in this direction with several proactive measures. It's only a matter of time."

In a statement to eWEEK, a SAP spokesperson said the company works closely with researchers to protect the security of its products.

"Today's businesses face many threats to security and data integrity, such as the alarming increase in cyber crime in the business world," the spokesperson said. "SAP has been collaborating closely with security researchers and...when any such security concerns are raised, it is a win-win for our customers since the goal is to protect their security."

Black Hat DC 2011 will run from Jan. 16-19 at the Hyatt Regency Crystal City hotel in Arlington, Va.

*This story was updated with commentary from SAP.