White box versus black box
Posted by Joris van de Vis, SAP Security researcher and co-founder at Protect4S
As an SAP customer, you try and secure your SAP systems as best as you can since they support your business-critical processes. You make sure that your SAP authorizations are properly set up and enforced plus you implemented several measures to harden your SAP systems. You do this because you want to protect your business or because legislation or law enforces you to do so.
But are these measures strong enough? And did you not miss anything? (Because the security of your SAP landscape is as strong as your weakest system). To have these questions answered you might need some help. But what to ask for and what exactly do you need in your situation?
In this post, we try and help you answer those questions.
SAP Vulnerability assessments vs SAP penetration testing
To better understand what you need, let’s start with some context. There are many scientifical definitions, but to not overcomplicate things let’s work with these definitions:
An SAP vulnerability assessment in general, is done with upfront knowledge of the SAP landscape and is performed from the ‘inside’ (so with credentials and valid authorizations, also called white box) by looking at the setup, configuration, parameters, versions of components, installed patches, etc, to try and have a complete as possible overview of vulnerabilities and risks in your SAP systems.
SAP penetration testing (or pentesting, also called black box) on the other hand is performed without previous knowledge of the SAP landscape, without any upfront credentials and tests the adequacy of implemented security mechanisms, by trying to break into your SAP systems using exploits.
Both are there to protect your SAP systems against security threats. But customers that are relatively new to SAP security might want to start with an SAP vulnerability assessment, where more seasoned customers might need an SAP penetration test or a combination of both.
In our view, these two services are complementary to each other, but we always recommend doing a vulnerability assessment before a pentest. Because penetration testing against SAP systems that are not properly assessed and hardened is not providing too much value. In that case, you will find that it is easy to access your SAP systems, but it will leave you with not too many details on how to overall improve security and where to start.
So, start with an SAP vulnerability assessment as this will give a detailed picture of all vulnerabilities in your SAP systems. Knowing your vulnerabilities might add value to do an SAP penetration test, but also then it adds value to combine the two. By first doing an SAP vulnerability assessment and from there work towards an SAP penetration test, will speed up the process and expose more valuable insight into the vulnerabilities and risks in your SAP landscape.
Again, all to help customers better secure and harden their business-critical SAP systems, prevent exploitation and improve detection and incident response. In general, money spent on prevention outweighs the costs of a breach.
If you want to further discuss the above or would like some advice in this area, please don’t hesitate to reach out. It is our pleasure to help you find a solution that fits your specific needs.
Request an SAP security stress test here and find out how vulnerable your SAP systems are within a few days.