Maximizing SAP Security: How AI and Human Intervention Work
No matter how sophisticated the AI-driven threat detection is, your physical security team is ultimately responsible for preventing and responding to attacks. AI can help identify vulnerabilities, alert you to issues and automatically block activities and user endpoints that can be the sources of problems. However, you still need to take additional protection steps in addition to AI automation. Hardening the system is imperative, and your IT team will reduce the attack surfaces to strengthen AI-driven SAP security. The smaller the surface, the more difficult it is to breach. The attack surface comprises all entry points or vectors — where malicious actors can access a system to extract or manipulate sensitive information. The SAP attack surface is significant, and adequately reducing it requires human action in three areas.
Action #1: Patching
Mitigate known vulnerabilities. SAP releases patches for known vulnerabilities every month. Understanding their severity, impact and relevance is crucial for proper short-term system patching. Striking the appropriate balance between patch severity and implementation effort is critical, enabling you to promptly handle your SAP patch implementation backlog.
The implementation of SAP notes and patches can be automated for increased efficiency. However, SAP patch management is complex and diverse, challenging automation. SAP security does provide an automated implementation for most SAP Notes. Still, only patches that do not require manual steps and ones deemed safe to be deployed are released through this automated procedure. For this reason, performing a specialized internal patch assessment will ensure better safety.
Expert knowledge, feedback and live updates for each vulnerability come with SAP security solutions and can be very helpful. However, each new vulnerability alerts attackers, so defenders must implement compensating controls or install the patch before the attackers can exploit the vulnerability; this is where community feedback becomes a critical component in your defense.
Action #2: System Hardening
Though patch management is necessary and extremely helpful, your SAP system still has parameters and settings that impact the application’s functioning. Many are security-related and impact your attack surface.
For optimal security, business-critical SAP systems must be hardened. Changing the default settings and parameters to more secure values and configuring system logging to ensure proper capturing of records is crucial. Securing communication between the different systems and technical components via various APIs, like HTTP or RFC, and activating only the internet communication framework (ICF) services you need are further necessary steps. Using best practices, ensure you harden the technical components responsible for communications like your SAP router, message server, web dispatcher and internet communication manager (ICM).
Pay attention to your access points. Follow the rule of least privileges within user authorizations and limit the group of users with elevated privileges (especially SAP_ALL). In addition, the RFC destinations in your SAP landscape have settings that must be checked. This step will lessen the chances that someone can access a critical system from a less critical one through an unsecured RFC call. This step will also protect you from directory traversal attacks, which can cause significant damage in SAP environments.
Too many open backdoors will allow cyber attackers access that AI-based security systems cannot defend. Luckily, many configuration guidelines and baselines are available, like the SAP Security Baseline or checklists from various SAP user groups. Following these guidelines will help ensure your SAP system’s compliance with common security frameworks or regulations, like SOX, NIST, or KRITIS.
Continuous changes in an SAP environment make it challenging to get the system “clean” and keep it clean. Automating Security & Compliance checks will help with the work it takes to harden the SAP system. Automating via SAP security solutions will ensure your system has the checks needed for security and compliance with security frameworks and regulations. Multiple baselines are employed parallel to ensure secure parameters across all SAP stacks, technical components and layers. Validation of user authorizations, interface configurations and other application controls to reduce the attack surface further are provided.
The best method for hardening your SAP systems and ensuring maintenance is to present the SAP security recommendations as a daily update with ranked findings based on balancing exploitation risk and resolution complexity. This allows you to deal with “low-hanging fruits” that have high risk. The update can also be indispensable to decision-making by delivering parameter values. Compliance reports based on regulations, such as SOX or NIST, can also be provided, which will be extremely helpful with the next SAP security audit.
Action #3: Custom Code Cleansing
Patch management will help with the known vulnerabilities in the SAP system code, but custom applications or externals still contain issues. Many code vulnerabilities allow data breaches or provide pathways for hackers to access your SAP system. Be aware that unused custom code is unsafe; it increases the application’s attack surface because it can be processed anytime. Due to accumulated code vulnerabilities, SAP customers risk having a large attack surface. When scanning applications for the first time, the danger lies in leveraging either the SAP Code Inspector or third-party solutions.
Immediate remediation is impossible because fixing all the vulnerabilities simultaneously requires unlimited development resources. The testing work required before deploying all the corrections is gigantic. Therefore, consider the following when approaching those code vulnerabilities:
First, raise awareness for secure coding practices. The goal is to build an ABAP custom application without vulnerabilities, and for that, extensive training is not needed; third-party solutions can provide explanations and recommendations for secure ABAP statements and help categorize the findings. Those that “must be fixed” will be highlighted. Those that “can be fixed” will alert developers of the flexibility they have based on project time constraints or application impact. In essence, ABAP code cleanup is a long process.
Second, start with a simple but effective security gateway within your development process instead of a big code remediation project. Scan each transport for vulnerabilities before importing it into test systems; you will not introduce new insecure code. SAP security solutions can help your development team write secure code by design and easily integrate it with the SAP Code Inspector and the ABAP Test Cockpit. Further, they can scan every SAP transport request for vulnerabilities before importing it into the system, thus stopping insecure third-party code from entering your SAP environment.
Finally, work on cleansing existing custom code and reducing the number of vulnerabilities in your legacy applications; start with the custom code in use. Then, move to the unused code and check for vulnerabilities to eliminate. This process ensures that it cannot be executed and prevents impact on your attack surface. With the used code, search for vulnerabilities with a high exploitation risk or findings with a high severity and a significant impact. Put those that are easy to solve at the top of your backlog. And it’s best to align your remediation work with other application changes to minimize testing effort.
Conclusion
Organizations must not solely rely on AI-driven security processes. These human-implemented suggestions outlined in this article will go a long way toward improving the security rating of your code base while preventing any new vulnerabilities from appearing in your SAP landscape. But beware! If there are critical vulnerabilities in your custom code, ensure your SAP security monitoring will alert you when the code with critical findings is executed in your system. This can be an automatic process with third-party solutions and will give your SAP teams the time to double-check whether it is intentional or the dreaded cyberattack.
