Researchers say SAP systems wide open to hackers

SAP enterprise systems never developed for security, vulnerabilities on the rise.

SAP enterprise systems were never developed for security, researchers say. Since such systems manage the core information for many major companies, this is a major flaw. As more vulnerabilites are discovered, the situation is ripe for large-scale industrial espionage.

New security flaws are discovered almost daily. Most attention is given to those found in Microsoft's products, but other major software companies have security vulnerabilities, too, SAP chief among them.

Security vulnerabilities are now published and traded at WabiSabi Labi, a Web site that opened recently. Asked to name the company that's contributed the largest number of vulnerabilities so far, WabiSabi Labi strategist Roberto Preatoni responds promptly: "SAP. We have 10 vulnerabilites that affect their platforms."

He adds: "We got some of them from security researchers, and as we tested if they worked, we found some more."

He urges the German software giant to give its software security a major makeover, as many holes seem to need patching.

Vulnerabilites are open back doors for all hackers. And vulnerabilites in SAP platforms could have disastrous consequences since, according to security researcher Roberto Preatoni, SAP platforms are used by 50 percent of all Fortune 500 companies -- the largest companies in the USA and the world. Recently, Computer Sweden reported that SAP is outselling Oracle on the major enterprise market. The information stored in SAP systems is invaluable.

The fact that major enterprise systems are increasingly accessible on the Web does not improve matters, except for hackers.

"If you're into industrial espionage, all the information you need is in the business system," says security expert Thomas Olofsson, director of technology at security company Tadcom.

All security companies are currently rating industrial espionage as a major trend.

"The basic problem is that SAP enterprise systems were never developed for security. If a hacker finds a weakness in the salary module, he'll have full access to the database and the entire corporation." says Olofsson.

But SAP is not the only platform with flaws. No matter who the provider is, security is neglected, even though enterprise systems contain much critical information.

"They don't get as much scrutiny as other systems," says Olofsson.

"An Exchange server will be turned inside out, but you don't do that with your enterprise systems. Also, the consultants that install enterprise systems aren't focused on security."

When corporations engage security consultants to do penetration testing, the consultants are often told that the enterprise system is off-limits, Olofsson says.

"Management is worried that something might go bad," he says.

The result, of course, is not tighter security.

SAP is not willing to comment on the alleged vulnerabilites, but says that the criticism is unfounded.

"I don't understand this criticism. We're the only provider of enterprise systems to have certified our platform for security, and we've worked hard on internal security," says Tomas Andersson, product manager at SAP Sweden.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mikael Ricknäs

Computer Sweden
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?