ERPScan – Securing SAP and Oracle Enterprise Business Applications
In this interview with Alexander Polyakov, the founder and CTO of ERPScan, we discuss a relatively new, or at least relatively unknown, form of security vulnerability detection. As Alexander explains, traditional vulnerability tools do not really address business applications such as SAP, PeopleSoft, or other enterprise business applications. Instead, they only focus on endpoints, databases, operating systems, and networks.
In addition to describing his company’s security monitoring suites for SAP and PeopleSoft, Alexander shares both the most critical and some other “interesting” SAP vulnerabilities, as well as how he sees the future of the cyber-security field
What were you doing before you founded ERPScan?
I studied security in university and then I went to work at a security company, where I spent about five years doing penetration testing against large systems. I was young and it was cool feeling that I could break into any system that I tried to get into.
After five years, I wanted to not just point out vulnerabilities, but I wanted to actually help people address and prevent those potential attacks. At that point, I had a lot of experience with Oracle database security, and even wrote a book about it.
During one of my security assessment projects, I discovered SAP for the first time. I quickly learned that there was almost no information on SAP security and vulnerabilities. I then shocked management by being able to break into the SAP system in less than 15 minutes! I continued to do more research into SAP security and after two years of doing SAP security assessments, I realized that the number of vulnerabilities was so great that we had to automate the process.
You are also the president of an organization called EAS-SEC – what exactly is that?
The EAS-SEC is the Enterprise Application Security Project. It is a project similar to OWASP (Open Web Application Security Project), except that EAS-SEC focusses on business applications. It was originally part of OWASP, but since it has different needs, it split out into a separate group.
Your security product is unusual in that it is targeting one specific application. Why did you decide to take that approach?
As I mentioned, I was extremely shocked that such a large, critical system was so vulnerable. Traditional vulnerability tools do not really address applications – they focus on databases, operating systems, and networks. However, the final goal of attackers, and what they really want, is access to the actual data. Getting into endpoints, networks and databases is only a means to the end. We decided to focus on, and protect, the most critical asset – the data itself.
Please give me an overview of the ERPScan Security Monitoring Suite for SAP.
Most vulnerability tools do not even test SAP. Our security monitoring suite is a solution that covers the three main application security issues that traditional security products do not address. We have designed this solution so that even though it is application-specific, it is easily understood and used by security staff, not just SAP developers and administrators. We translate SAP events into language that the security staff understands.
Our process starts with scanning, monitoring, and generating baseline reports. The step beyond that is that we provide more analytics and trends analysis. If an enterprise has multiple SAP systems installed, we map out how they are connected.
Finally, we try to automate the process of remediation. We currently offer the option of automatic correction of vulnerabilities in source code by generating the necessary code.
What are three primary security issues you look for in SAP?
The three main security areas we focus on are:
- Segregation of Duties – A single user should not normally be able to perform two different critical actions in the system (e.g. create a vendor and create a payment order).
- Application Platform Security – These are vulnerabilities of the platform itself, mainly all types of incorrect configurations.
- Customization Issues – SAP is a framework and companies build software on top of it. Many low-level operations can be performed using the SAP ABAP programming language. These vulnerabilities are difficult to discover, even with automatic tools.
You can learn more about the state of SAP vulnerabilities and attacks in this presentation:
Your web site also talks a lot about Oracle and PeopleSoft. Do you also have products for those platforms?
SAP is the leading company in the enterprise application space, but last year we also released a version of our tool suite for Oracle PeopleSoft. The market for the PeopleSoft product is still in its infancy – it took us seven years to build the market for our SAP security product.
In terms of revenue numbers, right now it is 90% SAP and 10% PeopleSoft, but I expect that to change as the market grows and matures.
You also offer security testing and auditing services. Do they make up a significant portion of your revenues? When and why do organizations generally hire you for those services?
Our services offerings are a little different from our products. With our services, we will survey and analyze almost any business application, including both commercial and custom applications. These service engagements make up about 15% of our revenues today.
These engagements are usually our first encounter with new customers. They want to secure their SAP deployment, but are not really sure of their vulnerability. The results of our testing and auditing engagement will often help them to justify the cost of the automated tools.
We also offer professional services to help support and manage various processes around our actual product. Usually larger companies and installations choose to take advantage of those services.
I guess you have a very specific target market for your product.
In terms of company size, 90% of our customers are Fortune 2000 companies. The other parameter is that they have an installation of SAP or PeopleSoft (sometimes both).
How many active customers do you have today? Where are they mainly located?
We currently have about 130 customers, mostly large enterprises. In terms of location:
- 35-40% – US
- 35-40% – Europe
- Remainder – Asia
How would you describe your current typical customer?
The particular vertical or industry does not really matter to us, although we do have different checks for specific industries.
The most popular industries for us currently are:
- Oil and Gas
Who are some of your biggest customers?
Here is a list of some of our biggest customers, including Edeka, which is Germany’s largest supermarket corporation.
Do you see a trend of more application-specific security products in the coming years?
Various analyst reports are stating that ERP (Enterprise Resource Planning) and business application security is one of the major upcoming trends. I will emphasize again that business application security is very different from traditional application security, which is mainly just websites.
What are some of the other trends or changes you see coming in the cyber-security market?
The obvious trend is that most companies are trying to detect attacks on their systems. Unfortunately, most people do not want to deal with actual vulnerabilities, because it is a lot of work. Instead, they choose to just react to the attacks. Of course, this is not the best solution! Companies need to try to eliminate as many vulnerabilities as possible, so that they only need to react to the few remaining attacks. Once you are attacked, you are already a victim.
What are your future plans for ERPScan?
Our top three short-term goals for ERPScan are:
- Developing an integrated module for attack detection
- Greater penetration into the PeopleSoft market
- Expanding our professional services business
How many employees do you have today? Where are they located?
We have 55-60 employees today. The HQ and sales force are in Palo Alto with local presence in and Dallas, Boston, while the rest of the team is Amsterdam with R&D in Prague. We also have sales and marketing teams in Copenhagen, and Sydney.
How many hours a day do you normally work? What do you like to do when you are not working?
In the earlier days of the company, I used to work 14-hour days. I am now trying to be extremely focused and to work only about 8 hours a day.
When I am not working, I enjoy different types of action sports, such as surfing, wake boarding, and motorcycle stunt riding.