The SAP issue, as Computer Weekly reports, could have allowed an unauthenticated attacker to take control of SAP applications. This type of issue is important as many organizations, duirng the coornavirus pandemic, decided to outsource their Enterprise Resource Planning (ERP) systems to Managed Hosting Providers. But with the proliferation of public cloud offerings, many more organizations will seriously consider making the move.
READ MORE: Q&A: Ten common mistakes when implementing ERP systems
To gain an insight into this vulnerability, Digital Journal spoke with Casey Ellis, CTO and Founder of crowdsourced security platform Bugcrowd, who tells us that a patch is only half the battle.
As Ellis explains how this Java-based 0-day cyber-issue was targeted at Internet-facing critical software. She explains that the risk is that such issues can some times take several weeks to discovery, enhancing the impact of the vulnerability.
Ellis expands on how the remediation has been handled: “Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug.”
With this she explains how the specific vulnerability enables “an unauthenticated attacker unrestricted access to SAP systems, including ERP, CRM and other programs likely to contain highly sensitive information, and enable them to have privileged access even deeper into the network and systems of the affected organization.”
ALSO READ: Q&A: ERP isn’t one size fits, what should businesses do?
Furthermore, Ellis says that “with crowdsourced security, the global researcher community is able to mobilize within hours, drastically cutting discovery time and allowing more effective prioritization of the effort that goes into testing and deploying patches and mitigations. Speed is absolutely essential when managing risk in these situations and no other traditional security model is able to match crowdsourcing.”
