SAP Acquires Security As Black Hats Take Aim

SAP announced it will acquire a chunk of Secude’s security business in order to bolster its identity management capabilities.

The deal, made for an undisclosed sum, brings security software, identity and access management software and other related assets into the SAP portfolio. In particular, the deal is focused on Secude’s Secure Login and Enterprise Single Sign-On products.

“We are very pleased that, in closing this transaction, SAP is not only in a position to satisfy our customers’ security requirements, but also to expand the SAP NetWeaver Identity Management component to include Secure Login Server and Enterprise Single Sign-On,” said Björn Goerke, senior vice president of the Technology and Innovation Platform Core at SAP, in a statement.

Anticipating The Black Hat Conference?

According to SAP, the acquisition of the technology is meant to underline its commitment to investing in security but, with SAP systems being increasingly connected to the Web, the security landscape is changing.

Just how much – and what those changes mean – will be highlighted at the upcoming Black Hat DC conference by Mariano Nuñez Di Croce, director of research and development for Onapsis.

“If we think about the common goals and motivations of attackers, such as espionage, sabotage and fraud, we’ll see that ERP systems and business-critical applications, such as SAP, have always been the natural target for them,” Nuñez Di Croce told eWEEK. “If someone is looking to access the most sensitive business information, these are the systems he would try to compromise.”

More than a decade ago, most ERP systems were only used internally, he added. Today, many organisations need to provide real-time, remote business management capabilities and therefore end up connecting them to untrusted networks such as the Internet, he said.

“I found it astonishing to see how most large organisations invest huge resources into securing their IT infrastructure, such as networking devices, operating systems and Web applications, but are still not protecting their ERP systems properly,” the researcher said. “Why would an attacker compromise a File Server if he can obtain full control of the systems keeping the organisation’s crown jewels?”

In his presentation on January18, Nuñez Di Croce is slated to explain how remote attackers can compromise different SAP Web components, and how those threats can be mitigated. In particular, he will detail an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations.

“In the briefing we are presenting vulnerabilities we have discovered in the Web components of SAP systems,” he said. “One of them is a bypass in the authentication of SAP Enterprise Portals when using external authentication mechanisms, such as two-factor authentication solutions. High-profile organisations using this kind of authentication are trying to increase their security level. However, if they do not do this cautiously and following SAP’s security recommendations, they can be shooting themselves in the foot, enabling attackers to completely bypass authentication and take control of the system.”

Traditionally, the security of these systems was only related to segregation of duties (SoD), he added.

“In 2011, that’s not enough anymore,” he said. “These systems feature their own technological frameworks which may be susceptible to specific security vulnerabilities. If they are exploited, this can invalidate all the efforts invested into applying SoD controls. I think that organisations must now… start auditing and securing their ERP systems holistically. SAP is also pushing in this direction with several proactive measures. It’s only a matter of time.”

Black Hat DC 2011 will run from January 16-19 at the Hyatt Regency Crystal City hotel in Arlington, Virginia, USA.