English | Deutsch | Español

Why SAP Security Is Difficult For Security Departments To Understand

May 16, 2017

I recently wanted to tell a colleague of one of our partners the benefits of our Virtual Forge TransportProfiler solution. The first question I encountered was “What is a transport?” Now, it’s not as if the individual with whom I was speaking was incompetent: He has over 25 years of experience in IT security, CISSP, CISM, and as a lecturer; nevertheless, in the long conversation followed, I had to explain to him the basic architecture of an SAP system.


Now, many of my readers may be smugly grinning at this point, but it is easy for those of us who, like me, have worked in the SAP world for nearly two decades to forget that SAP is vastly different from nearly all other applications.   

This conversation was a big eye-opener for me. For years, we have noticed through talks with clients that security departments were neglecting the security of the company’s SAP system. This isn’t because IT-security just isn’t aware of the importance of SAP systems and the information they contain though. Rather, IT often assumes that SAP functions like any other application. This is exactly the point where we SAP experts need to offer some clarification.

As we know, SAP is much more than “simply” an application, a fact quickly recognizable by the sheer size of the source codes. While Debian Linux is made up of around 67 million lines of code and Microsoft Office of a good 44 million lines, the SAP Business Suite contains nearly 320 million lines of code! However, it’s not just the amount of code that suggests that there is more to an SAP system than first meets the eye.

At the surface level, the software from Walldorf, Germany, is purely an application. It runs off an operating system and a database just like most other applications. Though those who work with SAP systems know that there is a NetWeaver stack on which the actual application runs, for example a CRM. In other words, the famous SAP basis takes the role of an operating system in this case, an obviously flawed comparison from a technical point of view, but an absolutely essential one for security. Only after approaching NetWeaver as an “operating system,” will IT know that there are weaknesses that need to be protected, just like with Windows or Linux.

Another example is customer-specific source code. Take the comparison with Microsoft office for example: anyone can configure their Office so that it best suits their personal work needs but the source code always remains the same. This is not the case with SAP systems. SAP has made it possible to make many changes in the source code. It is even possible to modify the standards making no two SAP systems identical. The problem is that the customer-specific source code is written by the customer and is therefore their responsibility. Our own studies have shown that for an average 2 million-line customer specific code, there is 1 critical security loophole per 1000 lines of code, an amount that IT security is not always aware of. 

Final example: the SAP system’s transport mechanism. This function is very practical; however, it hardly exists in this form in any other application. On one hand, the transport mechanism protects against many errors including functional ones, but on the other hand, SAP has created a very powerful tool for transports, one with few limitations. That opens the door for many security issues.

It is primarily through these three gateways that security loopholes and weaknesses first pop up in a SAP system. My explanation may be very simplified and many of my purist readers may throw their hands in the air, but the point is, only with this analogy will somebody, unfamiliar with SAP systems, become aware of the complexity of the situation. More importantly, through these comparisons, an IT expert will know what steps to take to properly secure an SAP system.

In the film “Dead Poets Society”, late actor Robin Williams stands on a desk to see things from a new perspective. A similar change in perspective is also important now in order to raise awareness about SAP security and protect companies’ important, sensitive data.

@Virtual_Forge on Social Media:

social_twitter_active.png social_linkedin_active.png social_google_active.png