Business application security is at risk now more than ever. They have been open for access via the internet and mobile devices. More and more intruders find undetected access to company systems in these ways.
A conventional door lock can be cracked by a professional in no more than 4 seconds. That sounds quick. It is much more demanding to translate a complex SAP system with millions of program code lines within 60 seconds., An SAP consultant succeeded in doing this on Positive Hacker Day. Pointed out the ten most common weak points in an SAP system.
This incident should have worried SAP customers. Instead, they seem to muddle on. Because they often use in-house developments based on SAP. Since these, in turn, are millions of lines of code but were “knitted with a hot needle” in a short time, the safety aspect was often neglected in the design. The result is weaknesses like those pointed out.
“Due to security gaps in applications,” “even the databases behind the applications can be read out.” That happened at Sony, for example. Sony suffered massive damage to its image. Attackers could theoretically bring down such a holey system, but they usually don’t want that at all. SAP systems, which handle 60% of world trade, offer much more rewarding goals: Lots of company data and transactions.
“The trade-in stolen company-confidential data from the Internet is flourishing like no other branch of the economy”. “The motivation of virtual intruders is increasingly linked to financial interests – data is cash, illegal access is a million-dollar business.” The trend is targeted attacks on companies, mainly research and development departments.
The problem for those who fight such threats is not just the applications’ loopholes. It is not just the developers who have less and less time to make an application “waterproof” – if this is a design requirement. Above all, it is the operators of the applications themselves. “More than 90% of the attacks could have been prevented if companies had maintained their information and telecommunications systems and, for example, installed updates for the operating system and application-level promptly”.
Therefore, all software manufacturers surveyed implement preventive in-house procedures and methods to build application security into the development and deployment phase. Subsequently, they regularly deliver patches and updates.
“A Privacy & Security Assessment (PSA) has been introduced in the Telekom Group”. “It is an integrated procedure for technical security and data protection as part of the product and system development processes.” “SAP uses a system of mutual control by three independent departments: One department defines the security requirements, the other applies them in software development, and the third finally checks compliance. ”
Both companies help their customers through teams of security experts to handle the worst-case scenario. “Very few companies,”, “have the necessary technical know-how, let alone the human resources, to thoroughly examine their networks as well as information and telecommunications resources day and night – both inside and out. “Because they often overlook attacks and data theft. And if it does, there is a lack of efficient emergency plans and trained security experts.
Customers are now sensitized and are investing heavily in safety tools. Unfortunately, they think like a medieval castle builder: They fortify the walls while the enemy is already lurking inside. To spy for as long as possible, the worms, viruses and Trojans keep as quiet as possible.
They can only be tracked down with appropriately sophisticated solutions that filter the data traffic and can correlate various conspicuous events with one another: “Wait a minute, is user ABC even allowed to send files of the XYZ category via port 80?” This category of monitoring tools The experts refer to it as “System Information & Event Management”, or SIEM for short. Such fully automated solutions are rarely cheap but increasingly to subscribe from the cloud.
In the end, as is so often the case, it comes down to the user: If you don’t install patches and updates, you shouldn’t be surprised if your product or patents are being used without permission in other parts of the world. In a global economy that is increasingly growing in networks, trust is good, but control is usually better. “What has become known so far is only the tip of the iceberg”.