Page 139 - Cyber Defense eMagazine December 2022 Edition
P. 139
specific risk. And this already describes the one challenge to master – many SAP experts do not have
the classification of benefit versus SAP security impact at hand – the moment they evaluate a request for
change. An SAP security firm can provide the missing piece of information by a sophisticated
classification system that puts the likelihood of exploitation in perspective.
The previously described scenario applies to a particular change, and mainly connects to the security
governance model that needs to be in place to ensure the attack surface of SAP does not increase.
Taking a step back and looking at the overall surface of an existing system or an entire landscape is a
lot more complex. It typically requires an extensive assessment phase before dependencies and other
environment-specific considerations, like the existence of additional security layers, can be made.
Additional security layers can be introduced by network segmentation, intrusion prevention systems
contained in intelligent firewalls.
Conclusion
Every second Tuesday of a month, SAP customers will see new security patches. It is very likely that
some of the security updates released will again force you to patch severe vulnerabilities within your
enterprise critical SAP applications.
If services are impacted that are deactivated, the risk of exploitation is typically reduced – hence often
the deactivation of an impacted service is mentioned as a workaround for those that can’t install the
patch.
Log4j has hit many organizations and also SAP customers unprepared. Be aware this can happen at any
time again, and better yet assume that this will happen and develop your security strategy adequately.
About the Author
Christoph Nagy has 20 years of working experience within the
SAP industry. He has utilized this knowledge as a founding
member and CEO at SecurityBridge–a global SAP security
provider, serving many of the world's leading brands and now
operating in the U.S. Through his efforts, the SecurityBridge
Platform for SAP has become renowned as a strategic security
solution for automated analysis of SAP security settings, and
detection of cyber-attacks in real-time. Prior to SecurityBridge,
Nagy applied his skills as a SAP technology consultant at Adidas
and Audi. Christoph can be reached online at
[email protected] and at
https://securitybridge.com/.
Cyber Defense eMagazine – December 2022 Edition 139
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.