Does SAP handle security researchers better than Oracle?

SAP was once a security laggard, according to one security researcher, but in light of yesterday’s rant by Oracle’s CSO, SAP is looking pretty good.

As Oracle spent Tuesday back-peddling from its chief security officer’s attack on security researchers, its German rival in ERP systems SAP was busy releasing over two dozen own fixes for flaws affecting multiple platforms including its in-memory database HANA and SAP Mobile, the platform for enterprise customers to build smartphone apps to access business systems. Both systems are used in dozens if not hundreds of Fortune 500 companies.

The highest risk bug in SAP’s August update was remote command execution bug in one product that allows an attacker to run commands remotely, according to SAP and Oracle security specialist ERPScan.

Another affects a component of SAP NetWeaver called AFP Servlet, while two more bugs affected SAP’s in-memory platform HANA

Fellow SAP specialist security firm, Onaspis, found three bugs deemed by SAP as “high risk” that undermine the security of SAP Mobile’s DataVault, which is used to store and encrypt sensitive information on the mobile device.

In all three cases, an attacker would need physical access to the device to exploit the bugs, but if they were to gain that they’d be able to decrypt credentials and other information stored on the device; modify configuration identifiers used to access SAP business applications; or read encrypted log in credentials stored in the device.

SAP released fixes for 22 security flaws in its August update and a further four updates to fix previously released patches — and most of them were provided by external security researchers that SAP credited with discovering.

While SAP hasn’t had the best history of dealing with security researchers and fixing the flaws they’ve reported, it is a different story to the colourful post by Oracle’s CSO Mary Ann Davidson yesterday who drew a line at reverse engineering its software and chastised its customers and researchers for doing so.

Customers might be concerned about advanced hackers using zero-day flaws in Oracle software to breach their data, but in Davidson’s view it was a cut and dry argument over customers violating their end user license agreement (EULA). Therefore, Oracle didn’t welcome bug reports derived from this technique and wouldn’t reward reporters with any acknowledgement for finding them.

SAP has similar terms in its EULA in its statement 6.2 Protection of Rights that states "Reverse engineering of the Software and other SAP Materials is prohibited" — a clause that ERPScan’s chief technology officer Alexander Polyakov is very familiar with.

Despite this, Polyakov told CSO Australia that SAP doesn’t penalise researchers if they do violate its EULA.

“[Credit doesn’t] depend on how vulnerability has been found,” said Polyakov.

Polyakov has found over 30 bugs in Oracle’s ERP software and a multitude of bugs in SAP’s.

Davidson also said that Oracle didn’t need outside help since its own engineers — with the benefit of legal access to its source code — found over 80 percent of bugs it fixes while external researchers found just three percent. Bug bounties were of little value to Oracle since it made more sense to simply hire its own white hat hackers.

But Polyakov argues that the research that third-party consultants is valuable and results they produce are often the result of far less invasive ways to uncover bugs in both Oracle’s and SAP’s software.

“There is no need to use such aggressive techniques [as reverse engineering] to discover most of vulnerabilities. Just basic checks, such as putting a quote in the name field to identify potential SQL Injection vulnerability, work perfectly,” he said.

Despite Davidson’s warning to researchers and customers over reverse engineering, Polyakov said he’d never received such a message from Oracle, though he added that Oracle still hasn’t fixed a flaw he reported to it three years ago.

“We have never received messages telling us to stop researching Oracle products. It may be so because our notifications usually provide examples of real vulnerabilities. Well, sometimes it turned out that the vulnerability we found had been discovered earlier by Oracle itself or by other researchers. We were credited 16 times and always were acknowledged. Another matter is that we were often waiting for it for more than 3 years, like it was with this vulnerability. And this is not an isolated case,” said Polyakov.

SAP’s handling of security researchers was recently called in to question after it appeared to take offence to Onaspis' claim that 95 percent of SAP customers largely failed to apply SAP’s patches — a situation the firm said was partly due to SAP’s secretive approach to disclosing flaws.

SAP may have some room to improve but according to Polyakov, the company is far better than it was just five years ago.

“In 2007, when we just started to send vulnerabilities to SAP, there was only one person who was responsible for security response in SAP. And until about 2010 we had do describe in detail almost every step we take to exploit a vulnerability and give examples of real threats. Sometimes our correspondence lasted for months,” he said.

“Nowadays SAP Security Response Team consists of dozens of people worldwide. They require little or no additional information, as they are highly skilled in security. SAP also holds annual training sessions for the team and developers. We were invited to these meetings to share our knowledge.”

Given that Oracle and SAP underpin the majority of IT systems in industries deemed “critical infrastructure” it’s likely to benefit everyone if vendors take a less adversarial approach to security researchers.

“Nuclear power plants, manufacturing, banking - name anything and you will find either Oracle or SAP or both systems, which manage mission-critical processes. When this kind of vendor is telling that they don't need any help from external researchers, in terms of vulnerability findings, well, this world is too dangerous,” Polyakov.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list. 

Get newsletters, updates, events and more right here

Join the CSO newsletter!

Error: Please check your email address.

Tags database HANAcyber attacksSAP MobileSAPPolyakovnetweaversecurity researchOracle

More about CSOCustomersOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts