Soccer team in a huddle

The Truth Behind the Vulnerability of SAP Software

Feature Article | November 11, 2015 by Rajiv Sekhri

Every few months there are headlines that say a software security company has found X number of “vulnerabilities, some critical in SAP software.” The truth is that these headlines are meant to draw eyeballs. If you look at the facts, a different story emerges.

Successful software vendors including SAP are subject to intense scrutiny by independent security research companies such as Onapsis, ERPScan, ERPSecurity to mention a few. These companies notify SAP of the vulnerabilities and SAP releases security patches to customers, typically on the second Tuesday of every month – called the Security Patch Day. Once the patches are made available, these security companies – which also include Core Security, TrustWave, Spider Labs. ESNC, Sense of Security and ZDI – publish their findings, allowing them to market their security expertise, products and services. This is called a responsible disclosure because security patches are available before vulnerabilities are disclosed.

“The SAP Product Security Response Team (PSRT) enables a responsible disclosure of vulnerabilities in SAP software by collaborating with external security research companies,” said Siddhartha Rao, head of the Products Security Response at SAP.

“Companies such as Onapsis & ERPScan work closely with SAP PSRT to ensure that fixes to the vulnerabilities they report are available before information in vulnerabilities become public domain. Their blogs and articles often refer to the security notes released by PSRT.” he added. “This is a sign of a mature security response process, and positions SAP as a responsible vendor of products and cloud services.”

Blogs or press releases by Onapsis and others are timed to specific events, such as security conferences, or when SAP issues its regular software patches.

Security: The IT Industry’s Big Thing

As the global leader in business software, SAP takes the security of customer data seriously and has based its development processes on a comprehensive security strategy (“Prevent – Detect – React”) across the enterprise that relies on trainings, tools and processes to enable the delivery of secure products and services.

Partnerships with external security experts is one of the many ways that SAP and other software companies ensure that customers get secure and reliable software solutions.

The truth behind these scaremongering headlines is that SAP’s software is helping the world run safely and securely and has done so for more than 40 years. And part of this milestone is thanks to all researchers and security IT professionals, such as Onapsis, that help us discover and solve security vulnerabilities.

Top image via Shutterstock


1 comment

  1. Rob Arundel

    Id rather see this type of responsible approach to security, SAP have come a long way, akin to Microsoft who previously had the ‘wet paper bag’ level of security but in the post Windows XP era have adapted and put security at the heart of their strategy.

    The latest and greatest products (for any vendor) will typically see a higher volume of security issues, so long as we are getting advice on best practice, regular review and patches then this is fine, SAP are facilitating all these things.

    Id rather see this approach compared to a SAP competitor with a CSO who ranted at their customers and independent security firms for providing details on security vulnerabilities.

Leave a Reply