Delaware Singapore has recently formed a partnership with Netherlands-based SAP Platform Security solution Protect4S to bring its products to Southeast Asian companies. Christophe Derdeyn, Director at Delaware Singapore and Onno Coenen, Global Commercial Lead at Protect4S signed the agreement.

The Protect4S SAP Platform Security solution enables SAP security automation and continuous improvement by a repeated process of scanning, analysis, and mitigation executed on all relevant layers of the operating system, database, and application. Protect4S’ periodic scans use more than 1500 checks.

Explaining the purpose of the partnership, Derdeyn said:

“Delaware provides SAP implementations and SAP managed services worldwide, and we see that the pressure on SAP security is increasing sharply.”

“Protect4S has convinced us with their enormous number of security checks, ease of use, and a high degree of automation,” he added.

Building Partnership

Delaware Singapore’s collaboration with Protect4S aims to enhance SAP protection levels of companies in SEA. The partnership also makes the consulting company as the first reselling and SAP Managed Services partner in Singapore. 

“With Delaware Singapore, we not only get a strong reselling and managed services partner for the Southeast Asia region but also worldwide via the other Delaware countries,” Coenen stated.

“This is another big step to accelerate our global growth,” the Protect4S executive stressed.

Reinforcing SAP Security

The Protect4S SAP Platform Security solution comes at the most opportune time now that cybersecurity threats and regulations are increasing, putting pressure on the SAP systems’ security. Aside from protecting business-critical SAP assets on a continuous basis, the solution also automates many processes and guides additional actions via clear dashboards, task lists, and reports.

Monthly, the SAP Product Security Response Team releases information on Patch Day Security Notes to fix vulnerabilities discovered in SAP products. 

In May 2020, security firm Onapsis detected an extremely serious RECON vulnerability that affects all SAP applications running on SAP NetWeaver AS Java. Hackers can exploit the vulnerability, making all systems exposed to untrusted networks an attack target. This vulnerability affects over 40,000 SAP customers with increased exposure for an estimated 2,500 internet-facing systems.

Within only a few weeks, SAP was able to fix the flaw due to the seriousness of the RECON vulnerability that had involved the U.S. Department of Homeland Security (DHS). The US-CERT Alert, AA20-195A, was issued in coordination with BSI CERT-Bun, followed by other global organisations providing warnings about potential threats associated with this vulnerability. 

SAP has marked its Security Patch Day last 11th August releasing 15 security notes and an update to a previously released one (for the maximum severity RECON vulnerability – CVE-2020-6287 – in SAP NetWeaver AS JAVA).

Strengthening Presence in SEA

Delaware Singapore has been harnessing the region’s increased demand for digital transformation by partnering with technology solutions providers like Protect4S and Aprimo. 

In July, Delaware has expanded alliance with Aprimo, a provider of technology solutions for content, operations, and performance. The partnership’s go-to-market approach offers expertise across marketing, digital, and customer experience in Singapore, Malaysia, Indonesia, and the Philippines.

The post SAP Partner Delaware Singapore Teams Up with Project4S appeared first on InsideSAP Asia.

However, when supporting SAP implementations, some systems integrators (SI’s) don’t consider security highly enough – focusing too much on the functional aspects of the project in order to get the project over the line as efficiently as possible.

This is unsurprising as today, whilst having great functional experience, few systems integrators have the skills to safeguard SAP effectively. But not doing so at the point of implementation can have considerable consequences:

1. Overspent budgets

Projects often go over budget due to avoidable and costly retrospective security remediation. 

2. Missed deadlines

Retrospective remediation doesn’t only cost money, it costs time – often resulting in missed project deadlines.

3. Auditor rejection

When it comes to the project being approved, either by auditors or internal teams, if the appropriate security measures haven’t been implemented it’s unlikely to get the go-ahead.

4. Business downtime

If left unchecked, poor security controls can result downtime – restricting user access to your business-critical application.

Often a more effective approach to implementation is to employ an SAP security specialist to work alongside an SI – bringing together great functional experience with the right security expertise. But how does this work in reality? How can SAP security specialists work alongside SIs?

Find the answers in the next part of Turnkey’s 7-part video series – where Turnkey’s global management team met to address some of the biggest challenges facing SAP security professionals today.

The post Why you can’t rely on systems integrators for SAP security appeared first on InsideSAP Asia.

How we do business has changed. The lines are being blurred between work time and home time, between office, home, and public spaces, and between work devices and personal ones. People in coffee shops are submitting purchase orders on their phones, and then checking Twitter.

SAP has positioned itself in this new environment with Fiori, a UX-optimised app experienced powered by SAP HANA. Fiori is designed to allow on-the-go access to commonly used SAP systems.

This is incredibly convenient, in many ways. Sales reps can submit orders and reports easily while out in the field. Manufacturing staff can upload images and data from the plant floor. Suppliers can send through specs and quotes while in transit.

However, it’s not all sunny news.

When a company’s SAP environment extends beyond the boundaries of their protected corporate network, the risk surface increases exponentially:

• Fiori is often accessed via mobile devices, which may or may not be well-secured by the manufacturer. In addition, users may be careless with their device security, leaving it unattended or failing to implement a secure screen lock.
• Accessing Fiori on public, unprotected wi-fi provides no network security to users. With the public server acting as a midpoint, redirection attacks are a significant risk.
• In crowded public places, cyberattackers could easily film a user typing in their credentials, using them later to enter the system and wreak havoc.

As a result of Fiori’s increased attack surface, SAP systems could face an onslaught of cyberattacks.

This is extremely bad news for many companies: Most organisations that use this type of enterprise software wind up interweaving it into multiple business functions. A typical resource extraction company, for example, could use SAP for their human resources, their accounts payable and receivable, for purchasing, and to track production. If the SAP system is breached by cyberattack, a couple of things could happen:

• The cyberattacker could sabotage systems, either on a large scale, or in small and subtle ways that lead to a domino effect of critical mistakes.
• The cyberattacker could also steal confidential data. Data on personnel could be sold on the black market to identity thieves, while corporate data could fall into the hands of competitors.

And either way, companies’ reputations tend to suffer when it’s publicly revealed that they’ve fallen victim to a major cybersecurity breach. In some cases, it’s been a death knell.

There are multiple types of attacks that cybercriminals can use to penetrate SAP’s defenses. One (among many) is MIME-type filter evasion.

SAP and MIME type checks

Typically, when somebody uses a Fiori app to upload a file to an SAP system, the file extension is reflective of the file within. A .pdf indicates a PDF file. A .docx indicates a Microsoft Word file. It’s pretty straightforward … usually.

But what if that .pdf file is actually an .exe file?

It turns out that cyberattackers send disguised malicious files through to organisations’ SAP systems, simply by changing the file extension.

As a trick, it’s brilliant (yet incredibly frustrating) in its simplicity.

Even more frustrating is according to our research, 30 per cent of SAP installations do not implement any filtering or restrictions on the types of files accepted by the application. And even if they do, SAP’s built-in file-type filtering relies solely on the extension of the filename. So if an organization is one of the 70 per cent that does filter file types, it may be all for naught, if cyberattackers are simply changing the extension and slipping through anyway. And they are slipping through: More than 60 per cent of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to a permitted extension type.

The tip of the iceberg

There are multiple ways that cybercriminals can stage attacks on SAP users and applications, with Fiori apps providing a more porous attack surface with which to do so. Companies need to be vigilant in ramping up their SAP cybersecurity, using a multi-pronged strategy to reduce risk.

Learn more about the other types of attacks Fiori might let slip through and the specific steps your company can take to protect its SAP system by watching our webinar, ‘Protecting Fiori and SAP Applications From Content-Based Cyber-Attacks‘.

This article is sponsored by bowbridge Software. Joerg Schneider-Simon is the chief technology officer and co-founder of bowbridge Software, which offers SAP cybersecurity solutions for organisations worldwide. With over 20 years of security and IT experience, Joerg is a popular international speaker on traditional IT and network security, malware, vulnerabilities and exploits, and SAP infrastructure.

The post SAP Fiori and cybersecurity: what’s the risk? appeared first on InsideSAP Asia.