A Smart New Way to Accurately Assess Your SAP Security Maturity

On how to plan and enhance your security mechanisms when protecting SAP resources

15 - 04 - 2021

Please note: This blog post originated from an interview with us and was originally published (in a slightly different form) by our partner bowbridge on their blog. We thank them for their permission to use the content.

Forgive us for asking, but on a scale from 1 to 10, how mature is your SAP security, exactly?

Not sure? That’s understandable. After all, a global cybersecurity standard for SAP systems doesn’t exist. Countries follow their own guidelines. Audit companies make up their own rules. And SAP products are so complex that there are few dedicated SAP security experts.

No wonder there’s so much conflicting information out there about SAP security. That’s why we’re glad to tell you that our friends at NO MONKEY have developed a vendor-neutral security maturity model to help you cut through the noise, so you can assess your organization’s security posture and better protect your SAP applications from cyber threats.

NO MONKEY calls it the SAP Security Maturity Model. Read on to discover why this model is so important, how it works, and what you must do to evaluate your SAP cybersecurity maturity and identify the next steps in your organization’s security journey.

First, Understand the “Why” of SAP Security Maturity

Organizations have no central place where they can turn for guidance on what security protocols they should have in place to protect their SAP applications from cybersecurity threats. There are multiple conflicting recommendations on what to do from tons of user groups, companies, vendors, and consultants - even within the SAP community.

Instead of one source of truth, there are multiple sources of truth … and multiple sources of misleading, or outdated or contradictory information.

The main goal of the Core Business Applications Security-SAP Security Maturity Model (CBAS-SSMM) project is to make enterprise applications that use the internet safer by helping SAP customers find a neutral place to start with security for their core business applications.

As though your job isn’t hard enough already, a lot of the security recommendations that SAP publishes (including SAP Security Notes) are hidden behind an authentication wall, making it difficult for these recommendations to become industry-wide best practices. Furthermore SAP, as the vendord does not see itself in the position to change this (See the statement to the request of NIST).

And so, this is where we are today: SAP professionals and IT security managers are looking for a third-party set of security standards to follow, so they have an unbiased way to assess their security posture, identify gaps, and discover what they need to put in place to protect their enterprises.

Enter the SAP Security Maturity Model from NO MONKEY.

The SAP Security Maturity Model

The SAP Security Maturity Model allows your organization to determine your SAP security posture based on your maturity level.

This enables you to plan and enhance your security mechanisms when protecting SAP resources. You identify processes and controls that either don’t exist or aren’t working. And you get a roadmap for changing your organizational culture and achieving your desired level of maturity.

The SAP Security Maturity Model is an open-source project initiated by NO MONKEY as part of the OWASP's - the Open Web Application Security Project Foundation Core Business Application Security Project. The main goal of the Core Business Applications Security-SAP Security Maturity Model (CBAS-SSMM) project is to make enterprise applications safer by helping SAP customers find a neutral place to start with security for their core business applications.

Being open source, it is industry agnostic, allowing the OWASP community of application security experts, including NO MONKEY, to continue developing this model to be compatible with major security frameworks and able to adapt to enterprise software solutions other than SAP.

Built for enterprise applications

The SAP Security Maturity Model is compatible with the NIST's - National Institute of Standards and Technology's Cybersecurity Framework and is adapted specifically for enterprise applications and core business software applications.

NO MONKEY also offers:

  • Security Aptitude Assessments: Help organizations identify gaps in their SAP application security through internal audits to assess responsibility and competency.
  • SAP Internet Research Project: Tool built by renowned researcher Joris van de Vis to automate detection of internet-facing SAP apps, identifying SAP installations that typical threat-intelligence tools will miss.
  • SAP Security Maturity Audit: Allows organizations to determine their SAP security posture based on controls used to define a maturity level. Good starting point for organizations implementing SAP, aligning best practices and security frameworks.

Next Steps in SAP Security

The SAP Security Maturity Model from NO MONKEY provides a common ground for SAP developers, security teams, and SAP professionals. If your organization is just starting out with SAP, it helps you establish responsibilities and accountability for your team.

But, what then?

Once you have a better understanding of your existing SAP security maturity, it’s time to figure out how to get where you want to be. Here are the logical next steps for you to take to develop a roadmap for changing your organizational culture and achieving your desired level of maturity.

  1. Gain senior leadership buy-in: This process must be driven by your upper management or board. Start by gaining consensus on the impact that insecure SAP applications have on business initiatives. Then agree upon the consequences if gaps in security are not remediated. Skip these steps and you will burn through a lot of money trying to solve the problem.
  2. Start with people first: Establish an organizational structure and security culture, then automate it to make the process more efficient.
  3. Start with a free self-assessment: Use bowbridge’s SAP Cybersecurity Self-Assessment online to audit your level of understanding of SAP security.
  4. Asses the Three-Lines: With the SAP Security Aptitude Assessment to know your three lines capabilities to defend your SAP environment.
  5. Know your Maturity: By conduction a SAP Security Maturity Audit to get an independent evaluation of your SAP security maturity level.

While there may be a large amount of conflicting information out there about SAP security, there’s hope on the horizon. Using the right tools and selecting the right partners can give your organization a crystal-clear view of its SAP security maturity – and how to reach the desired future state.

What do you think?

We're happy to get in touch with you and learn something about your view. Feel free to send us a message.

Leave us a MessageBack to Overview

Stay up to date on the latest developments in SAP security

Follow us on LinkedIn