Filling the Gaps in ERP Security


Improved ERP security is a must as threat actors have become smarter, quicker, and more sophisticated with their attacks on business-critical applications.

Despite their importance, business-critical Enterprise Resource Planning (ERP) systems have been neglected by most within the security community. ERP systems are home to a host of critical information within an organization, including sales, human resources, and financial data, in addition to personal information and intellectual property. However, IT and security teams often lack the necessary visibility into the security posture of these systems. In fact, a survey conducted in 2019 revealed that some 64% of ERP systems had been breached over a period of 24 months.

Over the past five years, the Cybersecurity and Infrastructure Security Agency (CISA) has issued six different US-CERT alerts on malicious cyber activity or vulnerabilities found in ERP applications. With 70% of organizations saying their application portfolios have grown more vulnerable in the past year, the start of 2023 marks the perfect occasion for enterprises to reevaluate and enhance their ERP security strategies.

Here are some important steps organizations can take to secure their ERP systems as threat actors continue to evolve their attacks. 

Managing vulnerabilities

Implementing a comprehensive vulnerability management program is a strong first step toward addressing ERP application security and minimizing an organization’s attack surface. Traditional vulnerability assessment technology does not adequately identify organizational risk across ERP landscapes. To best assess the true level of risk within an organization, security teams need a vulnerability management solution that is purpose-built for ERP applications.

These teams rely on actionable threat intelligence specific to business applications in order to inform prioritization and risk management. In today’s enterprise landscape, many teams are either under-resourced or new to ERP systems and sometimes both. They do not have the luxury to delve into each vulnerability, which underlines the importance of getting the proper research and context in front of analysts to focus their efforts effectively.

Threat actors can exploit vulnerabilities in system configurations, user settings, custom code, and even missing patches to gain entry to critical ERP systems. Identifying and remediating a vulnerability before it is exploited is essential to protecting an ERP environment.

See also: Cybersecurity Will Shift in 2023 Thanks to AI

Testing, testing

Due to the prevalence of application exploits, organizations are increasingly turning their attention toward application security testing and prioritizing such testing early in the development cycle. The average customer’s SAP system contains two million lines of code, with one potential issue appearing roughly every thousand lines. This means organizations are developing code with hundreds of thousands of potential errors, any of which may result in costly downtime or business disruption.

By incorporating security checks into the early stages of application development, enterprises are better equipped to find issues more quickly. Additionally, automated application security testing that’s specifically designed for SAP software can replace time-consuming, manual security reviews that are typically prone to unnecessary errors.

Resolving a coding issue ahead of production is generally an easier fix and a more cost-effective solution for an organization. Not to mention, a swift resolution in the development phase can help enterprises avoid negative impacts on system security, compliance, performance, or availability.

Keeping watch

Business-critical applications remain an attractive target for bad actors both within and outside of an organization. Threat actors are targeting ERP systems through a number of different attack vectors and at a more rapid pace than ever before, but many organizations lack sufficient monitoring and intelligence capabilities needed to combat these threats and secure critical systems.

Every organization needs to be prepared to identify, understand, and act upon threats to ERP security. Implementing a security solution that offers continuous threat monitoring is crucial to staying ready for whatever threat may strike next. Security teams often lack the visibility and context necessary to understand what constitutes a threat to ERP software, which is why continual threat detection is so valuable.

Watching for unauthorized changes, misuse, or other indicators of malicious behavior offers organizations the foresight needed to detect a threat before it disrupts business. With increased visibility over ERP applications, security teams can incorporate threat intel into broad incident response programs and keep their organizations prepared for whenever a threat arises. 

An eye towards the future

In the past year, threat actors have become smarter, quicker, and more sophisticated with their attacks on business-critical applications like ERP. These applications help facilitate the global economy, meaning that organizations need to keep them secure or run the risk of placing their business, partners, customers, and employees in harm’s way.

As enterprises look ahead to 2023, organizations can assume an increase in exploits against known vulnerabilities, such as RECON, Log4j, and Internet Communication Manager Advanced Desync (ICMAD). With this in mind, enterprises across industries should plan to ramp up the deployment of business-critical application security tools, as the number of attacks on these systems will only increase in the months and years ahead.

Organizations must equip themselves with the appropriate vulnerability management solutions to provide them with complete visibility over their IT ecosystems and help them understand and respond to the criticality of each vulnerability.

JP Perez-Etchegoyen

About JP Perez-Etchegoyen

JP Perez-Etchegoyen is CTO of Onapsis. JP leads the Research & Development teams that keep Onapsis on the cutting edge of the business application security market. He is responsible for the design, research, and development of Onapsis' innovative software solutions and helps manage the development of new products, as well as the SAP cybersecurity research that has garnered critical acclaim for the Onapsis Research Labs. He is regularly invited to speak and host trainings at global industry conferences, including Blackhat, HackInTheBox, Troopers, and SAP TechEd/DCODE. Prior to joining Onapsis, JP led many Information Security consultancy projects for companies across North America and Europe. His strongest experience is in the fields of penetration testing, web application testing, vulnerabilities research, and information security auditing and standards.

Leave a Reply

Your email address will not be published. Required fields are marked *