Scores of Vulnerable SAP Deployments Uncovered

mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."

I can explain

[slashmydots]

As head IT manager, I can definitely explain this. The company approves a software suite that's seemingly "perfect" for 150% the anticipated budget. They really couldn't afford it in the first place so they already cut the support and upgrade path subscription. Then they never approve the absurdly high renewal/upgrade cost the next year and the next year and the next year and tada, you've got an outdated, insecure piece of crap.
When you buy a software suite, make sure you have the money to support it in the long term! It's all about the TCO!

No problem. ..

[jd2112]

Nothing that a multi-year multi-million dollar project doomed to run obscenely over budget and schedule can't fix.

Re:I can explain

[Scutter]

When it's all overhead, maintenance fees are a very attractive number for the budget-cut knife.

How do you explain

[Anonymous Coward]

And how do you, as head IT manager, explain why they are public facing? This is the sort of ineptitude that I expect from people running Linksys routers for firewalls and Mom & Pop shops. I expect more from the head IT manager at a company that spent a quarter of a million dollars on ERP licensing alone. It's one thing to claim training and upgrade budget cuts, but it's another thing entirely to open your firewall to insecure services.

The problem described in the article is far from a new issue. But, it is a problem that should not be occurring at the level of these enterprises.

Re: Security and Market Dominance by Obscurity

[Anonymous Coward]

I have worked for SAP as a senior software engineer for 7 years now, though well outside of our main product line. I don't even know what it is the company software actually does after doing a bit of searching. Whenever someone starts asking me what the company does I just give a vague "business logistics software" and leave it at that.

Re:Color me surprised...

[cusco]

If you ever have to deal with their software you'll eventually realize that they don't understand it either.

Re:Color me surprised...

[Rich0]

I think they're some sort of brokerage house that manages and markets buzzwords.

++

They don't sell software - they sell a vision for your business. They don't sell it to anybody but the CEO.

They're also a classical example of how the usual RFP process fails. If you give me a list of 500 arbitrary requirements and ask "can SAP do this?" the answer is almost certainly yes. Go ahead and put landing a man on the moon on that list of requirements and the answer still is yes. The problem is that in order to do even the most trivial functions your employees will be exposed to something that almost outdoes the airline industry in terms of arcanity. For various reasons you're not allowed to put on the RFP the question "can your system be operated by anybody other than an SAP developer without first training them to be an SAP developer?"

This is a common failing in large systems. The only metric is checking all the boxes, so all the boxes get checked, and we don't even bother to deliver usability let alone try to measure it.