As SAP invests heavily in mobile, a security testing company will release a tool next month to ensure mobile-accessible SAP systems are not vulnerable to hackers.
Boston-based Onapsis will release a new module for its X1 security suite, a product that performs automated security assessments, penetration testing and compliance audits for SAP’s ERP (enterprise resource planning) software, said Mariano Nunez, Onapsis’ CEO.
The module will focus in part on the SAP Mobile Platform, formerly known as the Sybase Unwired Platform Developer Center, which helps developers build SAP mobile applications for different devices and platforms. It also looks at the NetWeaver Gateway, an SAP server that links devices to back-end systems, Nunez said.
Exposing those back-end systems is complicated, and companies can face a risk of hacking if the systems are misconfigured or do not have up-to-date patches.
“We see that companies may not be paying enough attention to that and forgetting the devices,” Nunez said. “Our empirical experience shows those systems are usually left insecure because of people not applying the latest patches or not following SAP’s best security practices.”
SAP is focused on mobile access, device management and security as more companies embrace bring-your-own-device policies. SAP supports iPhone, Android, and Blackberry devices.
Sanjay Poonen, head of SAP’s mobile division, said at the Sapphire Now conference in May that the company has more than 1,000 people working on mobile-related projects in areas such as retail, banking and consumer package goods.
Last year, SAP reported more than €222 million ($293 million) in license revenue from its mobile-related business, a revenue stream that didn’t exist two and half years prior, Poonen said.
“We think this market is really poised for an even bigger opportunity if you go even beyond devices,” Poonen said. “This world is going to require us to think of mobile security in a whole new way.”
The importance of mobile security
Nunez said companies faces risks if, for example, a CRM (customer relationship management) system is incorrectly configured for access by mobile devices, opening a door for hackers using attack tools for Web services.
X1’s mobile security module looks at what functions and processes are exposed in the back-end systems and not on the mobile application itself, Nunez said. It alerts users to security vulnerabilities and tells users how to fix the issues. The module is scheduled to be released next month, and will be free to X1 subscribers.
Onapsis is also scheduled to present two SAP security workshops at the Black Hat security conference in Las Vegas, which kicks off on July 27. The workshops, which are not product focused, will look at SAP security from an academic perspective, Nunez said.