LAS VEGAS — For many enterprises, SAP's (NYSE: SAP) software is mission-critical. But according to Mariano Nunez Di Croce, a security researcher from Argentinean research vendor Onapsis, SAP software is at risk even when users properly follow all of the company's security guidelines.
In a talk here at the Black Hat security conference, Di Croce argued that SAP deployments could be at risk from back doors, a technique used by hackers to secure future access to a system while remaining undetected.
Di Croce is no stranger to hacking enterprise software — his firm also has an open source tool called Bizsploit that is used for penetration testing of ERP software platforms.
Overall, Di Croce argued that SAP vulnerabilities are on the rise. According to his data, 2010 has already seen more than 250 security SAP security notes, up from fewer than 50 in 2007. He added that when SAP issues a security note, there is already a fix for the issue.
But even with all the security notes, Di Croce said there is still risk, in part because SAP runs as a component of an integrated platform that includes the application, database and operating system layer.
"Compromise any of those layers and you can compromise the whole platform," Di Croce said.
Once hackers penetrate the system, Di Croce noted that there are a number of mechanisms they could leverage to create a back door, including the SAP password hash security system.
In Di Croce's view, it is very difficult to actually detect back doors from within an SAP system. As part of his research, his firm built a tool called the Onapsis Integrity Analyzer of SAP to try to detect potential risks. The tool is set to be made publicly available next week as a free download.
"If you followed every SAP security note that is available are you still at risk? I have to say yes," Di Croce said in response to a question from InternetNews.com. "You will reduce the attack surface but there are still human errors that can occur."
For instance, if users have more permissions than they should, they could potentially install a back door, he explained. Additionally, an attacker could exploit the database layer supplied by another vendor, such as Oracle.
"SAP users should follow all SAP security notes, but it's not a foolproof concept," Di Croce said.
Read more about SAP ERP here.