back to article SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers

SAP and security analysts Onapsis say cyber-criminals are pretty quick to analyze the enterprise software outfit's patches and develop exploits to get into vulnerable systems. In a joint report issued by the two organizations, Mariano Nunez, CEO of Onapsis, cited "conclusive evidence that cyberattackers are actively targeting …

  1. HildyJ Silver badge
    Boffin

    Rock, meet Hard Place

    It seems we are being forced into a dilemma where somehow both horns get us in the arse.

    We can follow traditional IT practices and test the patches while they are being exploited.

    Or we can automatically install them and fix any internal systems on the backend.

    Neither of these is conducive to a good night's sleep.

    1. cowbutt
      WTF?

      Re: Rock, meet Hard Place

      I know testing feels like a good idea, but honestly, how much worthwhile testing can your organization do over and above that done already by the manufacturer? And, if you don't trust them, why the hell are you using their products?

      1. A Non e-mouse Silver badge

        Re: Rock, meet Hard Place

        You've made an assumption: That manufacturers thoroughly test their code before shipping. From bitter experience, they don't.

        Some of this is down to laziness.

        But for large pieces of software, testing can take weeks to run and cost six or seven figure sums. And that's just to run the tests that have been written. It could be an order of magnitude larger (or more) if tests have been written for every code path.

        But a large part is that the customer's use of a vendor's products in ways more complex or creative than the manufacturer ever thought possible. And when it comes to distributed systems, testing is a harder still. (Hello race conditions!)

        Summary: Testing is hard. Good testing is even harder.

        1. FlamingDeath Silver badge

          Re: Rock, meet Hard Place

          And its just easier to write excuses in the license agreement.

          Why bother with excellence, when society accepts any old shit and just shrugs

      2. mathew42
        Mushroom

        Re: Rock, meet Hard Place

        The internal support team complained about one cloud vendor that 'every time a release is made multiple things are broken'. This is after the internal QA team were given access a week earlier and ran some tests, finding numerous bugs which were fixed.

        As for why we are using their product, I don't know, but after having a discussion about their broken errors handling processes, I have even less ideas.

      3. Anonymous Coward
        Anonymous Coward

        Re: Rock, meet Hard Place

        Like the Win10 updates that keep breaking printing? Thoroughly tested by a trusted manufacturer, right?

      4. vtcodger Silver badge

        Re: Rock, meet Hard Place

        how much worthwhile testing can your organization do over and above that done already by the manufacturer?

        That's a reasonable argument. Really, it is. But if there is one thing I learned in 60 years in the software business (other than that it is best to assume that all salesfolk are liars) it is that users are tremendously good at finding creative ways to use products. Often they don't even know that their usage is not what what the manufacturer intended. Depending on what you use the software for, it can be really important to make sure that patches don't inadvertently break your workflow.

      5. Korev Silver badge

        Re: Rock, meet Hard Place

        I know testing feels like a good idea, but honestly, how much worthwhile testing can your organization do over and above that done already by the manufacturer? And, if you don't trust them, why the hell are you using their products?

        Pretty much every organisation will do some SAP customisation which will require testing.

        Also, some companies run in a regulated environment where every patch, code change, OS update needs to be validated. At my work a lot of the factories manufacturing medicines etc. have SAP on the backend; you really, really don't want system changes to screw that up!

    2. FlamingDeath Silver badge

      Re: Rock, meet Hard Place

      Dude, IT is like a toilet

      When it flushes

      Nobody gives a shit about you, your salary, or your development, rarely do they listen either. IT is one of those unfortunate things that business owners have to deal with, like public liability insurance, it isnt “fun” like a marketing drive or sales splunge

      Can you imagine getting bonuses and commissions for doing your fucking job, can you imagine an employment contract that read like a software license, absolving you of all responsible LMFAO

      Maybe its like this the world over, or maybe its just fucking Britain *sigh*

      1. BleedinObvious

        Re: Rock, meet Hard Place

        upvote for splunge

    3. mathew42

      Re: Rock, meet Hard Place

      I've worked with organisations where it can take months for a patch to be deployed. The patch has to be installed into dev and tested. If successful the change can be deployed to the integrated dev environment and tested. If successful, change board approval is required to deploy to test environment. Repeat for quality assurance where the business tests and then finally prod.

  2. Any non-mouse Cow turd
    Holmes

    Best place to hide a leaf....

    Maybe they should issue the real patch in amongst a load of fake patches to at least buy some additional time. If the black hats have to trawl through and reverse engineer 20 “vulnerabilities” to find just one real one it’ll take longer and as a bonus, annoy the heck out of them.

    1. FlamingDeath Silver badge

      Re: Best place to hide a leaf....

      Or they could, I dunno, show some fucking due diligence

      Imagine that?

      Competency...

    2. Ken Hagan Gold badge

      Re: Best place to hide a leaf....

      There does seem to be a tendency for vendors to release patches on Microsoft's Patch Tuesday. That presumably has a similar effect, overloading the bad guys and buying the smaller vendors a little time.

      And given the size of some MS offerings, who's to say that they aren't using your technique too?

  3. FlamingDeath Silver badge

    If you buy a turd that was advertises as “not a turd” in the marketing literature but it then goes on to describe the turd in the user license agreement which is never read by anyone, you’ll effectively realise that ALL software is absolute turd, and the license agreement will make it very clear, through clearly worded excuses.

    The day when software houses sell software instead of agreements, is long fucking overdue

    1. A Non e-mouse Silver badge

      Having read all your comments in this article today I think you need to ease off the caffeine my friend.

  4. Claptrap314 Silver badge

    This gives me confidence

    in technologies like self-driving cars.

    IN THEORY, a company like SAP could back off the "new features", and focus on bug & vulnerability fixes for a couple of years, thus drying up the profitability of decompiling fixes. This, in turn, would cause the bad guys to move one & even lose expertise.

    But no, we must have FEATURES! YESTERDAY!

    <sigh>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022