“Too little, too late” was a recent comment I read on LinkedIn pertaining to the Bug Bounty program(s) that SAP has been offering since 2018. Though there were some easily discovered flaws in the argumentation of the seasoned SAP security researcher who provided the quote, it mirrors the perception of many people dealing with SAP and SAP security specifically.
Frankly, until I joined SAP, I was guilty of the same trail of thought. However, this has changed since I joined SAP. Specifically because I am one of those responsible for ensuring the security of SAP solutions, I can confidently say that customers do not need to worry that SAP is not investing enough into security, at all levels. Nevertheless, it is true that SAP can improve on one aspect: sharing our daily work to improve confidence in the security of SAP’s solution portfolio. With this post, we’d like to start a series of articles which give you a behind-the-scenes look into the effort SAP puts behind the security of our core product: SAP S/4HANA.
External Security verification for SAP S/4HANA
And, since we’re at it, we’ll start with the Bug Bounty Program for SAP S/4HANA. Now, I won’t go into much detail about what the program itself incorporates – that has been covered by the blog post which I mentioned earlier. However, I would like to talk about how the program has brought increased security to the SAP S/4HANA solution.
Obviously, the objective of the Bug Bounty program for SAP S/4HANA was set clearly: Establish an external security verification platform for SAP S/4HANA and leverage the synergy and knowledge of crowdsourced security testing. To achieve this, we set up a managed (and for sure hardened) SAP S/4HANA on premise appliance, running on a hyperscaler and challenged the external researchers try their best to find vulnerabilities.
Of course we ran into some challenges and learned as we walked. Starting with the fact that the setup comprised an on-premise system running in a cloud environment. On the other hand, the results proved that it was worth the while. The program went live in late 2019 and has been running continuously ever since. And even in comparison to the overall numbers of bug bounty programs, the SAP S/4HANA program proved to be attractive for researchers: about 2/3 of all researchers who were enlisted in bug bounty programs with SAP totaled up to about 50k$ in