Today we discuss how to reduce the risk associated with operating-system access vulnerabilities in SAP code. Vulnerabilities of this kind can lead to unauthorised data access, modification of system files, or execution of malicious code, which is why it is important to follow the principles set out below.
How to prevent vulnerabilities from occurring?
Integrating security into the software development lifecycle (DevSecOps)
Security should be an integral part of the software development process. This means:
-
Patch and update management: Regularly applying SAP security notes and support package stack (SPS) updates is essential. Rapid assessment and deployment of patches according to their criticality helps minimise risk. This process should be monitored to ensure the effectiveness of these actions.
-
Automated code scanning: Using tools to analyse code for security vulnerabilities in real time. Introducing mandatory code-scanning tools within the transport queue enables early detection and remediation of potential vulnerabilities before code is deployed to production.
-
Developer training: Regular training on secure coding practices and the latest threats is essential. Developers should be educated on protective practices such as input validation, secure database access and safe use of APIs. Access to code-scanning tools should be provided to enable developers to verify their coding practices.
How to detect vulnerabilities that already exist?
Monitoring and logging
Implementing monitoring and logging mechanisms that enable detection of unauthorised access attempts is of great importance. This allows for a rapid response to security incidents.
How to reduce the impact of existing vulnerabilities?
Permission configuration
Ensure that file and directory permissions are configured correctly:
-
Correct permissions: Assign the minimum necessary permissions, adjusting owners, groups and access rights (chmod). Exercise caution when allowing execution of binaries/scripts.
-
Avoid shared directories: Minimise the use of shared directories that are mounted and writable without restrictions for the adm and sapsys users, in order to limit the risk of lateral movement within the SAP environment.
Restricting file system access
Using file-system access filtering mechanisms, such as the SPTH table, enables file access to be restricted:
-
Access filtering: Use the SPTH table to restrict file access, particularly where users have unrestricted S_DATASET authorisations.
-
Regular reviews: Regularly review entries in the SPTH table to ensure they correspond to the desired access restrictions. Activate change logging for the table and evaluate the logs to monitor compliance.
Avoiding OS command calls from application code
One way to avoid the risk associated with calling system commands is to avoid them wherever possible:
-
Alternative methods: Instead of calling OS commands, use alternative methods to achieve the required functionality.
-
Secure parameters: If an OS command call is necessary, use logical commands with predefined parameters, avoiding wildcard characters.
-
Strong input validation: Introduce robust validation techniques, such as whitelists of permitted values, checking whether input is numeric, and restricting input to alphanumeric characters without additional syntax.
How does SecurityBridge detect and analyse security vulnerabilities?
SecurityBridge provides advanced solutions for detecting and analysing security vulnerabilities in SAP systems. Through the use of advanced algorithms and continuous monitoring, SecurityBridge is able to quickly identify potential threats and provide detailed reports on detected vulnerabilities. The tool enables automation of the scanning and analysis process, which significantly shortens response times to threats. In addition, SecurityBridge offers real-time monitoring functions, enabling continuous tracking of the security status of SAP systems.
SNOK’s role in ensuring security
SNOK, as a trusted SAP and SecurityBridge partner, supports organisations in securing their SAP environments. SNOK’s specialists deliver comprehensive solutions and services that help companies manage security, monitor and update their systems. Through advanced tools and DevSecOps practices, SNOK supports companies in integrating security at every stage of the software development lifecycle. In addition, SNOK leverages SecurityBridge’s capabilities to effectively secure the systems of numerous clients, providing them with peace of mind and security. Training provided by SNOK for developers and administrators ensures that their skills remain aligned with the latest security standards.
Summary
Managing the risk of operating-system access vulnerabilities in SAP code requires a comprehensive approach encompassing prevention, detection and mitigation of threats. Regular updates, DevSecOps integration, monitoring and correct permission configuration are key elements of an effective security strategy.