Slashdot Mirror
Scores of Vulnerable SAP Deployments Uncovered
mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."
As head IT manager, I can definitely explain this. The company approves a software suite that's seemingly "perfect" for 150% the anticipated budget. They really couldn't afford it in the first place so they already cut the support and upgrade path subscription. Then they never approve the absurdly high renewal/upgrade cost the next year and the next year and the next year and tada, you've got an outdated, insecure piece of crap.
When you buy a software suite, make sure you have the money to support it in the long term! It's all about the TCO!
I once heard SAP described as "The Germany's way of getting back at us for winning the war." I've spent my fair share of time beating SAP abomination into submission. I'll be glad if this makes organizations think twice before allowing this atrocity to sink its teeth into their business processes.
Nothing that a multi-year multi-million dollar project doomed to run obscenely over budget and schedule can't fix.
Any insufficiently advanced magic is indistinguishable from technology.
This might seem off topic, but SAP is perhaps unique among the major enterprise software vendors in making it intentionally difficult for someone to self-educate in their products without being a paying customer, and of course being a customer requires serious bucks. There's no "mySAP Express Edition" that I'm aware of, and I've actually bought a couple books on SAP (this was years ago) so I could at least get a grasp on what their software does, besides being "what large corporations run their businesses on". I threw them both out pretty quickly because they were useless.
So it could be that SAP was also banking on this tactic to stay below the radar of hackers. Well, as the slides point out, some of the bad guys are insiders and contractors who know all about SAP.
Contrast that with the products of Microsoft, Oracle, IBM, Red Hat, where there's lots of tutorials and express editions available for free, and 800-page books written by serious engineers available for reasonable prices.
ba-dum-dam
Thanks, I'll be here all night.
Silence is a state of mime.
And how do you, as head IT manager, explain why they are public facing? This is the sort of ineptitude that I expect from people running Linksys routers for firewalls and Mom & Pop shops. I expect more from the head IT manager at a company that spent a quarter of a million dollars on ERP licensing alone. It's one thing to claim training and upgrade budget cuts, but it's another thing entirely to open your firewall to insecure services.
The problem described in the article is far from a new issue. But, it is a problem that should not be occurring at the level of these enterprises.
Receive buggy, unpatched systems
It's German for 'Our hands in your wallet'
If you are a service provider you should be required to let your clientele know what versions of software you are using.
Lets send out deployment of killer to kill SAP international Staffs.
It's a job fair bonanza!
And the 'turn over' saves the companies a butt load of $billions if dollars per year.
Win Win Scenario Baby! Let's Go.
Interesting or intrigued? In other words, is your question a genuine one or just rhetorical?
Questions raise, answers kill. Raise questions to stay alive.
That dude in the photo ain't no sap.
-- Jimtown Kelly
Some of these vendor-ware boxes are so hard to install, patch and maintain, that quite often they are left alone to run for years in production until the hardware dies.
If it gets hacked... it's the hacker's fault.
When the hardware dies,... it's the hardware vendor's fault.
If it's left unmaintained, the company saves money
If it is maintained, the admins won't be allowed to do anything when the company won't give them an update window, out of fear of breaking it. So the admin's sit on their hands and spin in their chairs every day.
It's always someone else's fault when the server goes balls-up, and when that happens, they get someone in to reinstall the server on new hardware.
(after lengthy outages)
READY.
PRINT ""+-0
I would say it is because SAP's programming environment is rife with business people and very few programmers. 95% of programmers I have worked with were B.A. students who heard that programming pays more, and SAP pays a lot more. I've been doing SAP ABAP for about 10 years on and off. I've worked in both services and product development and have worked in many different capacities, companies and countries.
My background is strong C++, having also worked at high frequency traders and other tech companies writing compilers and schedulers and network messaging systems. Never have I encountered anyone in SAP that would care about security... with the exception of a few BASIS consultants. People are so focused on their small part and fear to rock the boat that is causing it to be the monolithic behemoth it has become. ABAP is an awful excuse for a language that pretends to be a cool 4GL, and the SAP system itself is layer upon layer of bugs, unused code and inefficiencies. One can see a hint of a bright SAP developer here and there, but the way it was finished off suggested they cut costs before everything was full completed (WebDynpro, OO ... I'm looking at you.).
I worked as a contractor at a bank about 10 years ago. And highlighted the fact that their vendors being able to upload file all to a common directory as the same normal user and password was a huge security issue as well as a client confidentiality problem (as various clients/vendors could read each other's files)... but if I could wager a guess they did nothing about it at least for the time I was working there.
Then there is SAP's resource site (Sap Developer Network), where they are still trying to figure out how to have host aliases and SSO even work reliably. Every time you connect you get a different load balanced host with new host name. The site is a mess and is still struggling to even resemble Web 1.0.
But all this trouble and incompetence is what makes working in SAP a challenge and earns you the big bucks. Not to mention aggressive and plain rude clients sometimes. I prefer product development instead of contracting, that way I feel I can actually do something concrete to help people.
The reason that most companies buy an ERP system is to be in compliance with laws that govern their business. SOX (Sarbaines Oxley) is probably the best known. Publicly traded companies must abide by those rules and ERP systems give you a way of meeting those requirements. It's a big part of the sales pitch. The problem with ERP systems is the cost of maintenance. Typical rates run around 18% of the purchase price annually. Then there are the updates and security patches etc. It can eat up a lot of time. Keeping an ERP system running properly requires a team of dedicated staff. When companies elect not to keep the software up to date you end up with these types of issues where the system can be at risk.
The parts of SAP that stupid companies expose to the Internet *WERE NEVER DESIGNED TO BE EXPOSED TO THE INTERNET*
SAP will tell you not to expose these systems to the Internet.
You can however make access to these SAP resources a two step process, thereby giving the business what they want, while preserving the security of the environment.
It's not hard, well, it's not hard if you know what you're doing.
You mean there are hundreds of firms running SAP .....who are still in business?
..., it's just an asshole branch of software. Similar to typesetting software.
Nuff said.