The recent disclosure that thousands of Internet-facing SAP NetWeaver implementations are vulnerable to severe compromises will no doubt send some admins scurrying to their security team.
But the release of this information raises a question - is it preferable to fix each vulnerability or secure the environment? We definitely lean to the latter, but see much of the former (and also are sympathetic to some of the reasons why this occurs). In this instance with the SAP NetWeaver vulnerability one of the frustrating things if trying to fix the vulnerability is that without access to the code you are completely dependent on a fix being provided by the vendor. And this is similar for just about any off the shelf web applications. (It also applies to databases - think the Oracle vulnerabilities).
Without a web application - or database - firewall, users are effectively left in the hands of the vendor whilst a fix is developed. Not ideal. And even in saying web application firewall, some will take days to configure to address the vulnerability, whilst others will take minutes and some will have delivered proactive protection.
But the end game is that what we're actually trying achieve is the prevention of any significant data breach. To this end our view of the optimal approach isn't sticking on ad-hoc band-aids as flaws are uncovered. Instead, it's a method for protecting your database and file data from the risk of:
- Hacking and external threats
- Insider threats (malicious or otherwise)
Application vulnerabilities are sometimes considered as a risk, but we prefer the thinking that taking advantage of web application vulnerabilities (such as the one in SAP NetWeaver) is commonly just the 'easiest approach' for those wishing to access the data within an organisation.
Now, from a SAP perspective, what we are actually trying to achieve in effectively securing your data extends even further:
- Understand where the sensitive data resides
- Protect and audit all access to this sensitive data
- Implement controls that enforce separation of duties
- Ensure the operational availability of SAP
The last point can sometimes be undervalued by the security guys, but from an operational side there will be far more buy in if you can achieve the points above without any production impact on the application(s).
Part of what we understand about SAP (and data security in general) is derived from our vendor partners, and in particular Imperva. Please contact CoreSight if you would like more information about Imperva, or to discuss your situation in more depth.
There are also some potentially useful resources as follows:
Imperva Empowers SAP Users to Be Secure and Ready for Business
Security and Compliance Solutions for SAP
Interview with Dave Anderson -- Director of Marketing for SAP Business Objects governance, risk and compliance solutions (podcast, transcript available)
Share this...
- Imperva SecureSphere Web Application Firewall...
Leading Protection for Web Applications The Imperva SecureSphere Web Application Firewall (WAF) protects Web applications and sensitive data from sophisticated... - Imperva Q1 2011 Web Application Attack Report...
Imperva's most recent report on web application attacks found that on average these applications were attacked around 27 times per hour. Across the Internet be... - Imperva...
Protecting the Data that Drives Your Business Imperva's SecureSphere technologies enable a complete security and compliance solution for sensitive data. This ... - Imperva SecureSphere Database Activity Monitoring...
Visibility into Database Usage The SecureSphere Database Activity Monitoring (DAM) delivers automated and scalable activity monitoring, auditing, and reporting... - ThreatRadar Adds Auto Defences for Imperva WAF...
Mitigate Automated Attacks Using ThreatRadar ThreatRadar is a new service that complements Imperva's SecureSphere Web Application Firewall (WAF). ThreatRadar ...
