One of the biggest challenges that organizations face today with keeping their SAP systems secure is patching systems. In our recent research on Cybersecurity Threats to SAP Systems, respondents reported that keeping up with patches and updates was the second most important challenge they faced behind detecting potential threats, but for respondents in North America and EMEA it was the biggest challenge they faced.

Why Is Patching Important?

But why is keeping up with patches so important? And why is it such a challenge for organizations? In a post this week, SAP cybersecurity partner Onapsis indicated that they had discovered three actively exploited vulnerabilities that impacted different components of the SAP NetWeaver platform. All of these are now listed on the Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities so that organizations can learn about and respond to them, but they represent the challenge that organizations running SAP solutions face today. The first issue is that the vulnerabilities themselves exist and need to be addressed. For many SAP customers this in itself can be a complex task. These vulnerabilities exist in the SAP NetWeaver platform, and large SAP customers may have hundreds of SAP NetWeaver instances running across their landscape. Even using a tool like SAP Solution Manager to streamline system patching, the deployment of these patches must be scheduled and synchronized to ensure that the performance of critical systems is not impacted by the patching. Not every patch requires a full system restart, but some will and that can be complex for a global organization to schedule. A second issue is that blogs like these, while critically important to the security and SAP teams that follow them to ensure that they do not miss patching important vulnerabilities, it also means that those who might be interested in exploiting these challenges may also learn about them more quickly. In a recent conversation Abhijeet Pathania, Senior Manager SAP Cyber at Deloitte, said that “more information in the market means that both organizations running SAP solutions and hackers are more aware of the vulnerability.” This puts the impetus on organizations running systems with vulnerabilities to patch them more quickly. Another important issue is around knowing which patches are the most important to apply. This can be especially true when implementing patches on systems for which any downtime is expensive and difficult to schedule. Blogs like that Onapsis hosts highlight which vulnerabilities are being exploited, but organizations must still juggle these patches with those addressing software functionality and performance. Lastly, SAP teams must also ensure that they work closely with security and cybersecurity teams to ensure that SAP systems don’t become a blind spot from a cybersecurity perspective. Because the SAP teams that manage them have historically been responsible for all of the management of those systems, including patching, they are sometimes overlooked when checking for more imminent vulnerabilities. This may not have been as significant a challenge when patching was more focused on compliance, but with cybersecurity vulnerabilities much more widely known this may be a real challenge for organizations.

What Does This Mean for SAPinsiders?

Patching is a challenge that cannot be ignored by any SAP organization. Patches must be applied regularly to ensure that newly discovered threats are addressed before they become vulnerabilities. But this must be done in a way that minimizes downtime to critical systems while keeping those systems safe. What are some steps that you can in your organization?

• Ensure that your security and SAP teams are aligned and work closely together to protect your SAP systems.
• Monitor blogs or threat intelligence feeds to gain insight on new threats before they become vulnerabilities.
• Implement technologies that will provide insight into activity in your SAP systems so that you can identify and remediate any potential attacks.