Julius von dem Bussche wrote:
I completely agree with
Personally (as a vulnerability researcher) I have found that it is more difficult to find real hacks which take complete control of the system. So SAP is doing a good job in the product development integration with security input.
I am not sure I can fully agree with this. Just a simple XSS with a bit of social engineering can give you admin access and from there it usually escalates pretty quickly. I also believe that SAP benefits from its weirdness. I have seen a presenatition about hacking mainframes. I swear you could just swap mainframe for SAP and you would get the same issues. A complex legacy system designed ages ago that nobody understands. There are many bugs but nobody is looking at them. A good example is a recent issue with compression algorithms in SAP. These types of issues have been found in open source implementations years ago. Nobody just bothered to look at SAP. To be fair in house implementation can save you as well as we have seen in case of many SSL issues.
Also worrying part is a response time from SAP. Based on my experience it is months. SAP will have to step up their game for their SaaS solutions. Honestly, maybe they already did, I just do not have any visibility.
Regarding HANA I do not have any data so it is hard for me to judge. But I can imagine that security is not one of the top priorities when SAP is rushing to get new product to market. Microsoft is a good example how a company can significantly improve development process from security perspective. But it is important to understand that it required a memo from CEO.
Cheers