Scores of Vulnerable SAP Deployments Uncovered 118
mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."
Security and Market Dominance by Obscurity (Score:3, Interesting)
This might seem off topic, but SAP is perhaps unique among the major enterprise software vendors in making it intentionally difficult for someone to self-educate in their products without being a paying customer, and of course being a customer requires serious bucks. There's no "mySAP Express Edition" that I'm aware of, and I've actually bought a couple books on SAP (this was years ago) so I could at least get a grasp on what their software does, besides being "what large corporations run their businesses on". I threw them both out pretty quickly because they were useless.
So it could be that SAP was also banking on this tactic to stay below the radar of hackers. Well, as the slides point out, some of the bad guys are insiders and contractors who know all about SAP.
Contrast that with the products of Microsoft, Oracle, IBM, Red Hat, where there's lots of tutorials and express editions available for free, and 800-page books written by serious engineers available for reasonable prices.
Re:I can explain (Score:5, Interesting)
I can also explain, having gone through a SAP implementation 2 years ago, we were still plagued with bugs that had fixes issued over 4 years ago..
Seems they somehow didn't install fully patched updated modules, and with a yearly renewal.upgrade cost it all makes sense now.
Re:SAP - I know what that means (Score:4, Interesting)
As a German person, working in a German company that uses SAP... I couldn't agree more. It's a broken POS that has the tendency to break other applications (anything VB related) when installed or updated. Can't wait to be rid of that crap.
Corporate vs. Programmers. (Score:4, Interesting)
I would say it is because SAP's programming environment is rife with business people and very few programmers. 95% of programmers I have worked with were B.A. students who heard that programming pays more, and SAP pays a lot more. I've been doing SAP ABAP for about 10 years on and off. I've worked in both services and product development and have worked in many different capacities, companies and countries.
My background is strong C++, having also worked at high frequency traders and other tech companies writing compilers and schedulers and network messaging systems. Never have I encountered anyone in SAP that would care about security... with the exception of a few BASIS consultants. People are so focused on their small part and fear to rock the boat that is causing it to be the monolithic behemoth it has become. ABAP is an awful excuse for a language that pretends to be a cool 4GL, and the SAP system itself is layer upon layer of bugs, unused code and inefficiencies. One can see a hint of a bright SAP developer here and there, but the way it was finished off suggested they cut costs before everything was full completed (WebDynpro, OO ... I'm looking at you.).
I worked as a contractor at a bank about 10 years ago. And highlighted the fact that their vendors being able to upload file all to a common directory as the same normal user and password was a huge security issue as well as a client confidentiality problem (as various clients/vendors could read each other's files)... but if I could wager a guess they did nothing about it at least for the time I was working there.
Then there is SAP's resource site (Sap Developer Network), where they are still trying to figure out how to have host aliases and SSO even work reliably. Every time you connect you get a different load balanced host with new host name. The site is a mess and is still struggling to even resemble Web 1.0.
But all this trouble and incompetence is what makes working in SAP a challenge and earns you the big bucks. Not to mention aggressive and plain rude clients sometimes. I prefer product development instead of contracting, that way I feel I can actually do something concrete to help people.
Re: I can explain (Score:2, Interesting)
No, he's correct. My last position involved a few cases of "just diddling the format" (literally changing a configuration variable in code I had already written and formally tested - including third-party validation). This particular report was glanced at by the head of a commission, then placed on the Governor's desk. Needless to say, 6 hours would be very short for a formatting change - 40 hours (in house, with an additional 4-8 third party billable) would be much more realistic.
Again, this is all for a "formatting" change. And required by state law.