Wednesday, Imperva announced that SecureSphere archieved SAP certification Many organizations are using SecureSphere to monitor and protect their SAP systems and the certification provides the highest level of assurance that we meet SAP requirements for integration, performance and of course, security.
The press release tells that SAP has certified that SecureSphere v6.0 meets certification criteria under the category of Network Security for enterprise SOA based solutions. The PR jargon tells that Imperva SecureSphere Web Application Firewalls help provide seamless protection for Web-facing SAP applications.
In the real world lingo it means that when it comes to SAP (and actually, any dynamic application like SAP) SecureSphere integrates very well. During the certification process (which I was personally involved in), it was amazing to see how fast SecureSphere was able to plug into the SAP Certification Center network and pass the rigid tests in different scenarios.
If you believe in coincidence, at the same time that we announced our certification, the Digital Security Research Group ( http://dsec.ru/) reported an SAP Web Application Server vulnerability. An Input Validation Hole in webgui Permits Cross-Site Scripting Attacks (see more at Security Tracker). One might ask how come that such vulnerability was not detected before (by, for example automated scanning technology). The answer does not really matter. There's always one more bug and there's always more vulnerabilities to detect. But if you think about it from a security standpoint, this newly discovered SAP vulnerability simply shows that scanning, code review and assessment alone can not be trusted as the sole method to protect web applications. Amichai calls this PCI's False Dilemma (from Tech News World)
For those only concerned with compliance, the answer is simple: WAF. Because a WAF can be deployed without affecting the application and without engaging outside consultants to review application code, WAF is a faster and more cost-effective approach to meeting the letter of the law.
For those concerned with actually doing the right thing and asking "which first?" rather than "which?" the answer is actually the same: WAF. That's because a WAF can be deployed to provide immediate protection, and a WAF can be quickly configured to adjust as applications and application attacks change. WAFs not only provide the most cost-effective first step, but a sound building block for the second step. Once a WAF is in place, code review projects can proceed at a controlled pace, reducing the risk of errors. WAFs also provide critical information on usage patterns and changes in usage patterns that can guide code review teams and point out obvious problems.
And in the case of SAP, who's going to be willing to change that code (if they even have access to the source code in the first place)?
So the deal with SAP certification is very straight forward: New vulnerabilities are discovered often. New vulnerabilities affect business applications (like SAP). SecureSphere can protect and prevent attacks that exploit those vulnerabilities.
Leave a comment