SAP NetWeaver flaw spews user tables Russian security researchers have reported a vulnerability in SAP NetWeaver which could allow attackers to gain access to Central User Administration tables. Details on the vulnerability (CVE-2014-3787) in the service-oriented and integration platform were kept under wraps by security firm PT Security which conducted regular …
"SAP users were notorious bad at updating and securing their deployments"
Probably because it's not an easy process. Most people that have never worked with SAP think that patching is just a case of running a file (or files) that just do the work and maybe re-start the server afterwards.
Within SAP, there are a large number of steps, many opportunities to screw up the in-house written apps that *have* to be used; and it also has to be tested several times before rolling it out. Plus people bitch like crazy about the time that it takes; there always seems to be yet another project underway that means it really inconvenient to do the patching this quarter.
But the biggest problem is that SAP think that "security by obscurity" is an appropriate security strategy. It's not always clear just what patches need to be applied without some careful research
Not to mention that anyone foolish enough to apply updates in a production system, without testing them thoroughly first in a test/acceptance instance, risks breaking custom SAP Transaction/functionality all over the place (and costing their company a significant amount of money / themselves their job).
SAP Updates - needs done, never done on release day.
edit: re-reading your post I just realised that my entire post is pretty redundant.. I guess I could put something down about also having to factor in the time taken to resolve conflicts between the custom code and the updates before it finally gets to go to production? SAP - Doesn't update well.
SAP have really upped their game in the security area over the last 5 years. While many, many customers subscribe to security by obscurity, the same doesn't apply to SAP.
The problem is that many customers will not invest in securing their assets using standard mechanisms that SAP have provided for years, party because it is, just like you say, an utter faff to patch around release cycles.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
