Posts Tagged ‘SAP’

Saas predictions for 2014

Friday, December 27th, 2013

While the bulk of enterprise software is still deployed on-premises, SaaS (software as a service) continues to undergo rapid growth. Gartner has said the total market will top $22 billion through 2015, up from more than $14 billion in 2012.

The SaaS market will likely see significant changes and new trends in 2014 as vendors jockey for competitive position and customers continue shifting their IT strategies toward the deployment model. Here’s a look at some of the possibilities.

The matter of multitenancy: SaaS vendors such as Salesforce.com have long touted the benefits of multitenancy, a software architecture where many customers share a single application instance, with their information kept separate. Multitenancy allows vendors to patch and update many customers at once and get more mileage out of the underlying infrastructure, thereby cutting costs and easing management.

This year, however, other variations on multitenancy emerged, such as one offered by Oracle’s new 12c database. An option for the release allows customers to host many “pluggable” databases within a single host database, an approach that Oracle says is more secure than the application-level multitenancy used by Salesforce.com and others.

Salesforce.com itself has made a shift away from its original definition of multitenancy. During November’s Dreamforce conference, CEO Marc Benioff announced a partnership with Hewlett-Packard around a new “Superpod” option for large enterprises, wherein companies can have their own dedicated infrastructure inside Salesforce.com data centers based on HP’s Converged Infrastructure hardware.

Some might say this approach has little distinction from traditional application hosting. Overall, in 2014 expect multitenancy to fade away as a major talking point for SaaS.

Hybrid SaaS: Oracle has made much of the fact its Fusion Applications could be deployed either on-premises or from its cloud, but due to the apparent complexity involved with the first option, most initial Fusion customers have chosen SaaS.

Still, concept of application code bases that are movable between the two deployment models could become more popular in 2014.

While there’s no indication Salesforce.com will offer an on-premises option — and indeed, such a thing seems almost inconceivable considering the company’s “No Software” logo and marketing campaign around the convenience of SaaS — the HP partnership is clearly meant to give big companies that still have jitters about traditional SaaS a happy medium.

As in all cases, customer demand will dictate SaaS vendors’ next moves.

Geographic depth: It was no accident that Oracle co-President Mark Hurd mentioned during the company’s recent earnings call that it now has 17 data centers around the world. Vendors want enterprise customers to know their SaaS offerings are built for disaster recovery and are broadly available.

Expect “a flurry of announcements” in 2014 from SaaS vendors regarding data center openings around the world, said China Martens, an independent business applications analyst, via email. “This is another move likely to benefit end-user firms. Some firms at present may not be able to proceed with a regional or global rollout of SaaS apps because of a lack of local data center support, which may be mandated by national data storage or privacy laws.”

Keeping customers happy: On-premises software vendors such as Oracle and SAP are now honing their knowledge of something SaaS vendors such as NetSuite and Salesforce.com had to learn years earlier: How to run a software business based on annual subscriptions, not perpetual software licenses and annual maintenance.

The latter model provides companies with big one-time payments followed by highly profitable support fees. With SaaS, the money flows into a vendor’s coffers in a much different manner, and it’s arguably also easier for dissatisfied customers to move to a rival product compared to an on-premises deployment.

As a result, SaaS vendors have suffered from “churn,” or customer turnover. In 2014, there will be increased focus on ways to keep customers happy and in the fold, according to Karan Mehandru, general partner at venture capital firm Trinity Ventures.

Next year “will further awareness that the purchase of software by a customer is not the end of the transaction but rather the beginning of a relationship that lasts for years,” he wrote in a recent blog post. “Customer service and success will be at the forefront of the customer relationship management process where terms like retention, upsells and churn reduction get more air time in board meetings and management sessions than ever before.”

Consolidation in marketing, HCM: Expect a higher pace of merger and acquisition activity in the SaaS market “as vendors buy up their competitors and partners,” Martens said.

HCM (human capital management) and marketing software companies may particularly find themselves being courted. Oracle, SAP and Salesforce.com have both invested heavily in these areas already, but the likes of IBM and HP may also feel the need to get in the game.

A less likely scenario would be a major merger between SaaS vendors, such as Salesforce.com and Workday.

SaaS goes vertical: “There will be more stratification of SaaS apps as vendors build or buy with the aim of appealing to particular types of end-user firms,” Martens said. “In particular, vendors will either continue to build on early industry versions of their apps and/or launch SaaS apps specifically tailored to particular verticals, e.g., healthcare, manufacturing, retail.”

However, customers will be burdened with figuring out just how deep the industry-specific features in these applications are, as well as gauging how committed the vendor is to the particular market, Martens added.

Can’t have SaaS without a PaaS: Salesforce.com threw down the gauntlet to its rivals in November, announcing Salesforce1, a revamped version of its PaaS (platform as a service) that couples its original Force.com offering with tools from its Heroku and ExactTarget acquisitions, a new mobile application, and 10 times as many APIs (application programming interfaces) than before.

A PaaS serves as a multiplying force for SaaS companies, creating a pool of developers and systems integrators who create add-on applications and provide services to customers while sharing an interest in the vendor’s success.

Oracle, SAP and other SaaS vendors have been building out their PaaS offerings and will make plenty of noise about them next year.

Source:  cio.com

New malware variant suggests cybercriminals targeting SAP users

Tuesday, November 5th, 2013

The malware checks if infected systems have a SAP client application installed, ERPScan researchers said

A new variant of a Trojan program that targets online banking accounts also contains code to search if infected computers have SAP client applications installed, suggesting that attackers might target SAP systems in the future.

The malware was discovered a few weeks ago by Russian antivirus company Doctor Web, which shared it with researchers from ERPScan, a developer of security monitoring products for SAP systems.

“We’ve analyzed the malware and all it does right now is to check which systems have SAP applications installed,” said Alexander Polyakov, chief technology officer at ERPScan. “However, this might be the beginning for future attacks.”

When malware does this type of reconnaissance to see if particular software is installed, the attackers either plan to sell access to those infected computers to other cybercriminals interested in exploiting that software or they intend to exploit it themselves at a later time, the researcher said.

Polyakov presented the risks of such attacks and others against SAP systems at the RSA Europe security conference in Amsterdam on Thursday.

To his knowledge, this is the first piece of malware targeting SAP client software that wasn’t created as a proof-of-concept by researchers, but by real cybercriminals.

SAP client applications running on workstations have configuration files that can be easily read and contain the IP addresses of the SAP servers they connect to. Attackers can also hook into the application processes and sniff SAP user passwords, or read them from configuration files and GUI automation scripts, Polyakov said.

There’s a lot that attackers can do with access to SAP servers. Depending on what permissions the stolen credentials have, they can steal customer information and trade secrets or they can steal money from the company by setting up and approving rogue payments or changing the bank account of existing customers to redirect future payments to their account, he added.

There are efforts in some enterprise environments to limit permissions for SAP users based on their duties, but those are big and complex projects. In practice most companies allow their SAP users to do almost everything or more than what they’re supposed to, Polyakov said.

Even if some stolen user credentials don’t give attackers the access they want, there are default administrative credentials that many companies never change or forget to change on some instances of their development systems that have snapshots of the company data, the researcher said.

With access to SAP client software, attackers could steal sensitive data like financial information, corporate secrets, customer lists or human resources information and sell it to competitors. They could also launch denial-of-service attacks against a company’s SAP servers to disrupt its business operations and cause financial damage, Polyakov said.

SAP customers are usually very large enterprises. There are almost 250,000 companies using SAP products in the world, including over 80 percent of those on the Forbes 500 list, according to Polyakov.

If timed correctly, some attacks could even influence the company’s stock and would allow the attackers to profit on the stock market, according to Polyakov.

Dr. Web detects the new malware variant as part of the Trojan.Ibank family, but this is likely a generic alias, he said. “My colleagues said that this is a new modification of a known banking Trojan, but it’s not one of the very popular ones like ZeuS or SpyEye.”

However, malware is not the only threat to SAP customers. ERPScan discovered a critical unauthenticated remote code execution vulnerability in SAProuter, an application that acts as a proxy between internal SAP systems and the Internet.

A patch for this vulnerability was released six months ago, but ERPScan found that out of 5,000 SAProuters accessible from the Internet, only 15 percent currently have the patch, Polyakov said. If you get access to a company’s SAProuter, you’re inside the network and you can do the same things you can when you have access to a SAP workstation, he said.

Source:  csoonline.com

Internet-facing SAP systems suffering increased attacks

Thursday, June 20th, 2013

Hundreds of organizations around the world are running unpatched, Internet-facing versions of SAP software, exposing them to data theft, APTs (advanced persistent threats), and other unpleasantness, according to security analyst Alexander Polyakov, CTO of ERPScan and founder of ZeroNights. Polyakov also said that SAP exploits are part of a thriving underground trade, particularly as organizations in Asian countries are exposing their systems with new SAP deployments.

“You need to do your HR and financials with SAP, so [if it is hacked] it is kind of the end of the business,” Polyakov said at a presentation at RSA Conference Asia Pacific 2013, attended by SC Magazine’s Darren Pauli. “If someone gets access to the SAP, they can steal HR data, financial data, or corporate secrets … or get access to a SCADA system.”

Vulnerabilities in SAP software, combined with the value of the data SAP systems utilize, have yielded increased attention from security researchers, per Polyakov: Nearly 60 percent of vulnerabilities found in 2013 were turned up by outsiders. The fact that SAP users are willing to open up interface to the Internet, whether for remote employees, connecting to remote offices, or remote management, increases the risks.

In his research, Polyakov found more than 4,000 servers hosting publicly facing SAP applications, 700 through Google and 3,471 via Shodan. He found that 35 percent of exposed SAP systems were running NetWeaver version 7 EHP 0, which hasn’t been updated since November 2005. Another 23 percent of the SAP code he found was last updated in April 2010; 19 percent of the installations hadn’t been patched since October 2008.

Polyakov found a comparable percentage of instances of SAP NetWeaver J2EE containing security holes through which attackers can create user accounts, assign roles, execute commands, and wreak other forms of havoc. He also determined that one in 40 organizations was vulnerable to remote exploits via SAP Management Console, while one in 120 organizations was susceptible via vulnerable HostControl, which allows for command injection. One in 20 organizations had a version of the SAP Dispatcher service for client-server communications containing default accounts that could be used to fully compromise SAP systems.

The researcher said the top five vulnerabilities for 2012 were as follows:

  1. SAP NetWeaver DilbertMsg servlet SSRF, which enables an attacker to access any files located in the SAP server file system
  2. SAP HostControl command injection, which allows for full code execution as the SAP administrator from an unauthenticated perspective
  3. SAP J2EE file read/write, through which a remote, unauthenticated attacker could compromise a system by exploiting an arbitrary file access vulnerability in the SAP J2EE Core Services
  4. SAP Message Server buffer overflow, which allows remote attackers to execute arbitrary code on vulnerable installations of SAP NetWeaver ABAP without authentication
  5. SAP DIAG buffer overflow, with which an unauthenticated, remote attacker can execute arbitrary code to launch a denial of service attack

Also part of his findings: One in three organizations had SAP routers publically available by a default port. Of the 5,000 exposed routers, 15 percent lacked ACLs (access control lists), 19 percent suffered information-disclosure holes which enable denial of service attacks, and five percent were improperly configured, allowing attackers to bypass authentication.

Polyakov will publish the entirety of his research next month. His slide presentation is available on the RSA website.

Source:  infoworld.com