In the last 20 years, the software ecosystem has invested billions of dollars increasing software security using automate updates. Is your SAP systems protected?
A guest post by John Appleby
You may have opened your laptop in the last month only to be notified that your computer has automatically updated for your security. It wasn’t always this way - 20 years ago, your PC had to be manually updated, and this opened up your computer to be vulnerable to attackers, looking for ways into your private information.
In the last 20 years, the software ecosystem has invested billions of dollars to both reduce the attack vector of software with bugs which allow access to sensitive information, and in software which automatically updates to keep you protected without needing to apply manual updates.
What they found was that the average person doesn’t understand the risk of not updating, or thinks it won’t happen to them, so they didn’t do it themselves. Much the same happens with manufacturer recalls for food and cars, which is why car manufacturers spend so much time contacting you to let you know your car needs a fix for a leaking fuel tank.
However SAP has not followed this trend - instead, assuming that customers will secure their own systems, keeping them up to date and changing settings so they are secure. There are some customers who are very disciplined in this respect, especially those that operate in industries where the risk is very high, like Pharmaceuticals and Government.
As the latest Onapsis report details, the vast majority of SAP customers simply don’t do this, not because they don’t care, but because it is so incredibly complicated to keep their SAP system secure. Here are some key areas which need to be considered.
There are three major types of SAP updates
One approach is to invest in a big security audit, penetration testing, and best practices. Unfortunately this is extremely expensive, and only fixes the problem at this point in time. The reality is that most issues in SAP environments are cause because of incorrect configuration and wrong versions.
What if someone had built software which:
- Provides a template set of best practices across all these areas, which can be tailored to your specific requirements
- Can either automatically apply these best practices to systems, or can automatically audit systems every day
- Instantly alerts you when a system is out of compliance and captures changes
- Delivers upstream service tickets so security issues have an associated incident
Want to learn more? contact us for your own private demo