There are good points being raised in this thread; and I think the need for better security of SAP systems and auditing of security specific configurations is well known…. by those of us on this thread.
The bigger question for me from this thread is how do we raise the awareness to the developers/admins who enabled the WebUI over HTTP, and for the auditor who didn’t know to look for that? My take away from Lars’ original post was that identifying these issues is easy to do with various solutions (full disclosure; I work for a vender of such a solution, check my profile for details); yet it is not being done.
Part of the problem is a gap in responsibilities; the Basis team is responsible for maintaining the systems and keeping them running, the developers with providing the business with the functionality they need. Neither team (in most organizations I work with) has been given the responsibility of ensuring the security and soundness against cyber-attacks of those systems. The typical security team on the other hand has no SAP expertise (and are not likely to be reading this thread, unfortunately) and so seldom get any kind of report on the state of an SAP system and when they do are unable to understand the report.
How do we bridge that gap? Education is the approach that I am taking; and educating both sides of the isle (so to speak). Helping demystify SAP systems for traditional InfoSec teams and providing them with the knowledge and tools (be it commercial or free like Metasploit or Bizploit) helps those teams bring SAP systems into their existing vulnerability management programs that they already have in place for the rest of the business systems. For the SAP teams, showing them that their SAP systems can be vulnerable to more than just SoD type abuses; but from cyber-attack at the framework layer. And that applying security to SAP systems doesn’t have to be a negative activity but can ensure the integrity of their systems.
I’d love to hear from others where they see the gap or disconnect and their ideas of how we can bridge that gap and raise the security awareness around SAP and the security of SAP systems themselves