Layer Seven Security

Security Compliance for SAP RISE Solutions

S/4HANA and other ABAP systems provisioned by SAP for RISE customers are based on standard system builds. The builds include default settings to apply security by default based on hardening requirements and best practices. The settings are outlined in SAP Note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP systems in SAP Enterprise Cloud Services (ECS).

The requirements include recommended settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must abide by to comply with SAP security standards for RISE solutions.

The Cybersecurity Extension for SAP (CES) performs automated gap assessments to ensure RISE solutions comply with SAP security requirements. The assessments are performed using Compliance Reporting accessed from the CES launchpad.

SAP RISE should be selected from the framework selection screen.

Once the framework is selected, you can select a target system from the available systems in your SAP RISE landscape and click on Execute.

The results are summarized for each requirement and an overall compliance score is calculated for the system.

You can drilldown into each requirement to navigate the detailed findings.

You can click on the > icon for each finding to view further information and create an action plan to manage the remediation of compliance issues.

The report filters can be used to focus on specific requirements or results. For example, you can suppress compliant areas to isolate compliance failures.

Shortcuts can be created and published to the Fiori launchpad for fast access to compliance results.

The shortcuts can be published as custom tiles to existing or new work groups.

Compliance reports can also be scheduled to run on regular intervals. The reports are automatically distributed in PDF or CSV to recipients by email during each run.

The Cybersecurity Extension for SAP is an SAP-certified addon for SAP Solution Manager and SAP Focused Run. An addon version for other SAP NetWeaver AS ABAP systems such as SAP GRC is expected in Q4 this year.

SAP Security Notes, February 2024

Hot news note 3420923 patches a critical code injection vulnerability in the Web Survey component of Application Basis. Prerequisite note 1110803 is required to apply the correction for versions 700-710 and note 1354949 is required for version 711. As a workaround, remote calls to function modules of CA-SUR can be restricted using authorization object S_RFC.

Note 3417627 addresses a high-risk cross-site scripting vulnerability in the User Admin Application of SAP NetWeaver Application Server Java (AS Java). The vulnerability is a side effect of improper encoding and validation introduced with note 3251396.

Note 3426111 secures an XML parser in the Guided Procedures component of AS Java to patch an XML External Entity (XXE) injection vulnerability. The vulnerability can be exploited by threat actors to read sensitive files. The note includes details of a workaround that requires disabling the vulnerable caf-eu-gp-model-iforms-eap application.

Notes 3424610 and 3410875 deal with broken authentication and cross-site scripting vulnerabilities in the SAP Cloud Connector and SAP CRM, respectively.

SAP Cybersecurity Buyers Guide from SAPinsider

The SAP Cybersecurity Buyers Guide from SAPinsider provides a valuable, independent assessment of the capabilities of technology vendors and consultants for SAP security solutions and services. The guide reviews key solution providers and consultants in the cybersecurity domain for SAP. It performs a Vendor Capability Assessment across the following areas:

Threat Intelligence and Detection
Access and Identity Management
Data Protection and Encryption
Vulnerability Management
Incident Response and Forensics
Cloud Security and Compliance
Secure Code and Application Review

The Cybersecurity Extension for SAP is a featured vendor in the Buyers Guide and acknowledged in the review for its strong coverage in all areas. The solution is also cited for its support for S/4HANA and cross-stack security in SAP systems including application, database and host layers, rapid deployment, and lower costs and maintenance compared to alternatives.

DOWNLOAD

SAP Security Notes, January 2024

Hot news note 3412456 deals with a critical privilege escalation vulnerability impacting the development platforms SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA. Applications in the node.js JavaScript runtime environment are vulnerable to CVE-2023-49583. Applications developed using @sap/xssec library versions earlier than 3.6.0 and @sap/approuter versions earlier than 14.4.2 are impacted. node.js application dependencies should be upgraded with the latest versions of the libraries @sap/approuter and @sap/xssec.

Hot news note 3413475 deals with another privilege escalation vulnerability. This impacts SAP Edge Integration Cell used to design, deploy and manage APIs with SAP Integration Suite. Edge Integration Cell should be upgraded to version 8.9.13 to mitigate the vulnerability. There is no available workaround.

Note 3389917 includes corrections for a high-priority denial of service vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver Application Server ABAP and SAP Web Dispatcher. The DOS can be triggered by threat actors through a high volume of HTTP/2 requests. Support for the HTTP/2 protocol can be disabled in effected versions of the ICM and Web Dispatcher by the setting parameter icm/HTTP/support_http2 to FALSE. NetWeaver Application Server Java is not impacted since it does not support HTTP/2.

Note 341186 patches a code injection vulnerability in the File Adapter within SAP Application Interface Framework that enables privileged users to execute OS commands using a vulnerable function module.

Note 3407617 details manual steps for correcting a missing authorization check in SAP LT Replication Server running on SAP S/4HANA 1809 to 2023. The steps involve restricting the permissions of the user for LT Replication Server background jobs.

SAP Solution Manager, Private Cloud Edition, for SAP RISE Customers

Usage rights for SAP Solution Manager are included in SAP support and maintenance agreements for on-premise SAP solutions. The rights include database licenses for SAP HANA and ASE. Customers with Enterprise Support agreements have usage rights for all functional areas of Solution Manager, whereas customers with Standard Support agreements have restricted rights that include commonly used areas such as Change and Release Management (ChaRM), System Recommendations, and System Monitoring, but excludes areas such as Custom Code Management and Business Process Analytics.

SAP Cloud ALM is an alternative Application Lifecycle Management (ALM) solution that is provided to SAP customers with active cloud services. It can be used for both cloud and on-premise SAP solutions. Enterprise Support customers have usage rights for Cloud ALM but customers with cloud services and no on-premise solution supported by SAP do not have usage rights for Solution Manager.

There is currently no feature parity between Cloud ALM and Solution Manager. In other words, Cloud ALM does not support the same scenarios as Solution Manager. Since many customers require ALM functions that are not provided by Cloud ALM, SAP provides cloud-only customers with the option to subscribe to SAP Solution Manager, Private Cloud Edition (PCE).

Solution Manager PCE is the successor to SAP Solution Manager for SAP S/4HANA Cloud and like its predecessor, it is available in two versions: Project Documentation and Full. The main difference between the two versions is that the project documentation version is deployed as a single-system landscape, whereas the full version is deployed as a dual-system landscape, similar to on-premise installations. The full version is required to support the deployment of agents to managed systems.

Cloud-only customers can order the full version of SolMan PCE from SAP Enterprise Cloud Services (ECS) using SKU 8014172 providing they are using SAP S/4HANA or ERP on RISE. It is provisioned by SAP ECS within 30-40 days and includes SAP HANA.

The Cybersecurity Extension for SAP can be deployed to both on-premise and cloud installations of SAP Solution Manager. This includes SolMan PCE for RISE customers. Layer Seven Security provides a fully managed service for RISE customers that includes setup and maintenance of SolMan PCE.

SAP Security Notes, December 2023

Hot news notes 3350297 and 3399691 patch a critical OS command injection vulnerability in SAP S/4HANA and ECC. The notes are only applicable for installations with active IS-OIL software components. You can use transaction SFW_BROWSER to check the status of the OIB_QCI and OI0_COMMON_2 switches in BUSINESS_FUNCTION_BASIS_COM and COMMODITY_MGMT_&_BULK_LOGISTIC. IS-OIL is active if both switches are on. The notes are not relevant if only the OI0_COMMON_2 switch is on. The corrections in the notes will remove the Test Selected Routines option in report ROIB_QCI_CALL_TEST and block direct execution of Function Module OIB_QCI_SERVER.

Note 3411067 corrects multiple high-risk vulnerabilities in security integration libraries and programming infrastructure in the SAP Business Technology Platform (BTP) that could be exploited to escalate privileges. The note applies to all customers with applications developed on SAP BTP. The libraries are used to perform authentication and authorization checks calling SAP BTP Cloud Foundry Authorization and Trust Management Service (XSUAA) and SAP Cloud Identity Services – Identity Authentication (IAS). Customers should update the relevant integration libraries and programming infrastructure specified in the note to the recommended versions.

Note 3385711 provides a server-side fix in SAP NetWeaver AS ABAP for an information disclosure vulnerability that can be exploited in the SAP GUI clients for Windows and Java. The solution enables an authentication check to address the vulnerability.

Notes 3394567 and 3382353 deal with access control and cross-site scripting vulnerabilities in SAP Commerce Cloud and SAP BusinessObjects Business Intelligence, respectively.

SAP Security Notes, November 2023

Hot News note 3355658 patches a critical missing authentication check vulnerability in SAP Business One. The vulnerability has a CVSS Base Score of 9.6/10 with a high impact to confidentiality, integrity and availability. SAP Business One allows read and write-access to SMB shared folders to anonymous users. The impacted components are the Crystal Reports (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder). The correction in the note modifies SMB shared folder permissions to only grant read and write access to authenticated and authorized users.

Note 2494184 was updated for a Cross-Site Request Forgery (CSRF) vulnerability impacting multiple SAP Sybase solutions including ASE, Event Stream Processor IQ, Replication Server, and SQL Anywhere.

Note 3362849 addresses an information disclosure vulnerability impacting the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. The required kernel patches to correct the vulnerability are specified in the note.

Note 3366410 patches an information disclosure vulnerability in SAP NetWeaver Application Server Java that allows attackers to brute force the Java Logon application to discover legitimate user IDs. The vulnerability impacts version 7.50 of the J2EE Engine Server Core.

Security with SAP RISE: A Shared Model of Responsibility

SAP RISE is a cloud-based service offering from SAP that includes the private edition of SAP S/4HANA Cloud at the core. As part of the offering, SAP maintains privately-managed, single-tenanted accounts for each customer with hyperscale providers including AWS, Azure and GCP. The accounts are fully managed by SAP. Therefore, SAP acts as a cloud service provider and the customer is essentially a consumer of an SAP cloud service.

SAP customers are responsible for most aspects of security for on-premise deployments or cloud deployments managed directly with hyperscale providers. However, SAP RISE divides the responsibilities between SAP and customers.

As the cloud service provider, SAP assumes many of the responsibilities for security that would otherwise lay with the customer. This includes security at the hyperscaler and network level, as well as security for databases and servers, including operating systems for SAP servers.

Customers are responsible for the application and data layer. However, the responsibility for these areas can also be shared with SAP through optional Cloud Application Services (CAS) that extend the services delivered through SAP RISE. For example, SAP can assume the responsibility for identifying, analyzing, and implementing required security notes. However, this requires an additional CAS package that is not included in standard RISE services. If the customer does not obtain the package, the responsibility for analyzing and selecting notes for implementation lays with the customer. Once selected, the customer can create a service request for SAP to apply the notes.

The security of custom code is also the responsibility of each customer. Customers are encouraged to analyze custom code and remove obsolete, redundant and duplicate code to comply with SAP’s Clean Core principle. The remaining custom developments can be adapted and migrated to systems maintained by SAP Enterprise Cloud Services. However, customers are responsible for ensuring that the developments are secure and do not contain code-level vulnerabilities. RISE customers can secure custom SAP programs and applications using the SAP-certified Cybersecurity Extension for SAP (CES). CES supports the automated detection of code vulnerabilities in ABAP and UI5 applications. It can be used to support S/4HANA migrations and on-going development and maintenance activities for custom applications.

With the exception of SAP HANA, access control is also the responsibility of customers. This includes managing end user permissions and administrative privileges. Customers can opt-in for optional CAS packages that provide SAP managed services for this area. The Cybersecurity Extension for SAP can be used to monitor access privileges for systems in SAP RISE including segregation of duties violations and access to critical roles, profiles, transactions and authorizations at both the functional and technical level. This includes S/4HANA and supporting systems.

Security hardening is applied by SAP through standard builds used for each ABAP system. The builds include mandatory security settings documented in SAP Note 3250501.  This includes areas such as security-relevant profile parameters, securing standard users, deleting unused clients, deactivating vulnerable ICF services, system and client change options, and hardening for the RFC gateway and message server. The settings can be overridden by customers. Therefore, it is important to automate monitoring for compliance with the hardening requirements. This can be performed using the Cybersecurity Extension for SAP. Compliance Reporting in CES will automatically identify compliance gaps for SAP systems against the requirements of SAP Enterprise Cloud Services (ECS) in Note 3250501.

The final area that customers are responsible for is logging and monitoring. SAP provides customers with access to application logs. Customers can request access to OS, DB and network logs. This is provisioned using a premium offering called LogServe. The application and infrastructure logs can be integrated with SIEM solutions to automate threat detection and response. Alternatively, customers can pay for SAP Enterprise Threat Detection (ETD), cloud edition, or opt for a 24/7 or 8/5 managed service from SAP based on ETD. Neither option is included in standard RISE services.

The cloud edition of ETD includes less than 50 patterns for detecting Indicators of Compromise (IOC) in SAP solutions. The Cybersecurity Extension for SAP provides more than 900 patterns to detects IOCs in SAP systems, including patterns for databases, operating systems, and standalone components such as the SAProuter and Web Dispatcher.

Overall, SAP RISE does not delegate the responsibility for security patching, secure development, access control, hardening, and logging and monitoring from customers to SAP. This is possible for some areas but only through the addition of optional packages that are not included in standard RISE services. Customer and SAP responsibilities are detailed in a comprehensive matrix provided by SAP ECS for more than 1000 tasks. The matrix is a reference for standard, optional, and additional services, excluded tasks, and services available through available CAS packages that are subject to additional service fees. Note that the matrix is subject to change by SAP.

SAP Security Notes, October 2023

Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher, and SAP Host Agent. The installation of CommonCryptoLib 8.5.50 or higher in impacted products is recommended to address the vulnerability. This can be performed by upgrading the relevant software components to the recommended versions detailed in the note.

Note 3333426 was updated for a Server-Side Request Forgery (SSRF) in the GRMG Heartbeat application of SAP NetWeaver AS Java. The vulnerability could lead to information disclosure that could be used to perform further attacks against AS Java. The update impacts support packs 25 and 26 for the software component LM-CORE.

Notes 3324732 and 3371873 address a log injection vulnerability in the Log Viewer of AS Java. The support package patches specified in the note implement encoding and validation for user input to address the vulnerability in the impacted components.

Notes 3372991 and 3357154 patch Cross-Site Scripting (XSS) and missing XML validation vulnerabilities in SAP BusinessObjects and SAP PowerDesigner Client, respectively.

Maximize Your SAP Security Budget: How to Cut Costs Without Downgrading Cybersecurity

According to a recent report from SAPinsider, almost two-thirds of organizations are placing cybersecurity projects on hold or scaling back planned investments in cybersecurity due to the current economic climate. 18 percent of organizations are reducing the size of cybersecurity teams. The latter can have a drastic effect on collaboration and morale. The impact is also long-lasting and difficult to reverse. According to the Ponemon Institute, it takes an average of 7.3 months to recruit and train security analysts. The training required by new analysts also draws time from experienced analysts, reducing the overall effectiveness of cybersecurity teams.

Organizations are experiencing budgetary and resource constraints against a background of rising cyber attacks. The SAPinsider report quotes JP Perez-Etchegoyen, CTO of Onapsis, “threat actors aren’t going to slow down because of a recession. The risk is real, and the impact is huge. We see threat actors targeting organizations even more now than before.”

This article discusses several ways organizations can manage cyber threats without increasing cybersecurity budgets or resources. In fact, many of the recommendations will lead directly to cost savings and the more efficient use of resources in cybersecurity teams.

1. Eliminate Duplicate Security Solutions

Based on research performed by IBM Security and the Ponemon Institute, organizations deploy an average of 45 security solutions. The quantity of tools used by organizations does not lead directly to improved cybersecurity. Organizations using 50 or more tools were ranked as less able to detect and respond to attacks than those using fewer tools. Increasing the number of security solutions creates complexity, requires more employee training, and creates integration issues. Since security solutions can also suffer from software vulnerabilities and widen the attack surface, too many solutions can increase both workloads for regular patching and aggregate risk.

SAP Application Lifecycle Management (ALM) platforms such as SAP Solution Manager, SAP Focused Run, and SAP Cloud ALM are widely-used for monitoring and diagnostics scenarios in SAP landscapes. With the exception of SAP Focused Run, usage rights for the platforms are included in SAP support agreements. The platforms include direct connectivity to SAP systems and applications to extract and analyze configuration, software and user-related data in SAP applications, databases and hosts. The platforms also include security tools to support vulnerability management and patch management.

Organizations can leverage these ALM platforms to perform many of the same functions of costly third-party alternatives. This will avoid unnecessary license fees and installing and maintaining hosts, connections, agents and users required by third party tools.

Organizations can extend the capabilities of ALM platforms using addons such as the Cybersecurity Extension for SAP from Layer Seven Security for areas such as threat detection and custom code security. This is less costly and involves less maintenance than third party solutions that require separate servers, infrastructure and connections, including external connections to other networks using Internet protocols.

2. Minimize Manual Steps in SAP Security Patching

Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a wealth of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP. This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE.

Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.

System Recommendations (SysRec) in SAP Solution Manager should be used to automate the discovery and full lifecycle management of SAP security notes. SysRec is a standard application, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager. However, many of the security notes reported by SysRec are false positives. SAP administrators spend a great deal of time manually validating the results of SysRec every month to remove false positives. The workload is especially high in large SAP landscapes with large volumes of systems. The Cybersecurity for SAP automatically identifies and removes false positives in System Recommendations. This improves the quality and reliability of security notes calculated by SysRec and removes the need to manually validate notes before applying corrections.

3. Automate SAP Compliance Audits

SAP solutions often support business-critical processes such as financial reporting, customer relationship management, and human capital management and therefore need to comply with strict standards for information security. This includes requirements for secure configuration, system changes, and administrative access. SAP solutions are subject to regular audits by internal and external auditors and other groups to confirm compliance with such requirements. The audits can place a significant burden on SAP teams. Automating audits can lead to significant improvements in the quality and timeliness of compliance monitoring and lower the manual effort involved in gathering evidence, analyzing results and reporting findings.

Compliance Reporting in the Cybersecurity Extension for SAP automates compliance gap assessments for SAP solutions. This includes regulatory frameworks such as SOX, GDPR and PCI DSS, industry standards such as HIPAA HITRUST and CIP, and security standards such as CIS, NIST and ISO. It also supports SAP frameworks such as the SAP Security Baseline and the S/4HANA Security Guide. Customers can also create and publish custom frameworks for monitoring compliance against company-specific policies and standards. Reports can be scheduled and automatically sent to stakeholders including compliance and audit teams on a regular interval.

4. Tune Security Alerts

Security solutions can trigger alerts and notifications for suspected security incidents that upon further investigation are false positives. Solutions can also overwhelm users with a large volume of alerts that cannot be realistically investigated with available resources. The latter scenario is known is alert flooding. This leads to wasted effort and reduces the confidence level of end users in the underlying solutions. It can also increase infrastructure costs through higher data volumes and events per second.

False positives and alert flooding can be minimized by tuning alerts for specific systems and landscapes. This enables security solutions to learn the unique event and user patterns for each system and exclude the patterns from alerting. The Cybersecurity Extension for SAP supports advanced tuning for event collection and alerting. Users can maintain exclusions for alerts based on user, client, event ID, transaction, source/ destination IP or terminal, and other variables to prevent false positives and alert flooding. Users can also select enable/ disable specific alerts to customize monitoring and focus, for example, on critical or high priority incidents only.

5. Automate Incident Response

Automating incident response for security alerts can improve the efficiency of security operations and response times. It also supports compliance with standard operating procedures for incident management since there is less risk of human error. The guided procedure framework in SAP Solution Manager and SAP Focused Run includes a library of automated alert reaction procedures.  SAP users can also use the framework to author their own procedures as custom guided procedures. The procedures can automate routine tasks such as transaction, program or report execution, as well as more complex tasks such as locking/ unlocking users or restarting systems that may have been disrupted by a denial of service attack.

The Cybersecurity Extension for SAP also includes incident response procedures that users can execute to investigate security alerts. The procedures provide best practices and playbooks for responding to alerts and enable users to document findings, attach evidence, generate reports, and manage the status of alerts. It also provides a complete audit trail for each investigation performed by analysts.

6. Integrate SAP Logs with SIEM Solutions

Security Information and Event Management (SIEM) solutions enable Security Operations Centers (SOC) to ingest and monitor logs from various endpoints in networks. They provide a centralized platform for monitoring multiple assets within an enterprise. Centralized monitoring through a single or multiple SOCs can improve efficiency and lower costs, as well as improve visibility and capability to respond to threats across different assets.

There are inherent challenges with integrating SAP logs with SIEM solutions. The challenges are discussed in detail in the whitepaper SIEM Integration for SAP from Layer Seven Security. The Cybersecurity Extension for SAP supports seamless integration with SIEM solutions. It removes the effort and complexity for successfully ingesting SAP logs. This is achieved through filtering, normalizing and enriching of SAP logs and through the creation of a single point of integration between SIEM solutions and a data source containing event logs from all target SAP systems.