More and more severe ABAP vulnerabilities surface in code scans of third-party SAP solutions. While this shows that vendors have gaps in their software development life cycle, it also reveals a much bigger problem: SAP customers are exposed to supply chain attacks.
A supply chain attack is a type of cyberattack that targets an organization by exploiting vulnerabilities in its supply chain—typically through third-party vendors, suppliers, or software providers. Rather than directly attacking a well-defended target, attackers infiltrate less secure elements of the supply chain to gain access to the primary target. These attacks often involve compromising software updates, hardware components, or trusted services that are integral to an organization’s operations. Once the attacker gains a foothold, they can deploy malware, steal data, or disrupt systems, often remaining undetected for extended periods.
The mechanics of a supply chain attack are insidious. For example, an attacker might compromise a software vendor’s update mechanism, embedding malicious code into a legitimate update. When organizations install such an update, they inadvertently introduce the malware into their SAP systems. High-profile incidents from the non-SAP world, such as the 2020 SolarWinds attack, illustrate this threat: attackers inserted malicious code into SolarWinds’ Orion software, which was then distributed to thousands of customers, including government agencies and major corporations, leading to widespread breaches.
Today, the risk potential of supply chain attacks is higher than ever due to several converging factors.
First, the increasing complexity and interdependence of modern supply chains create more points of vulnerability. Organizations rely on a web of third-party providers for software, hardware, and services, many of which may lack robust security processes and measures.
Second, the rise of digital transformation has accelerated the adoption of cloud services and interconnected systems, expanding the attack surface.
Third, attackers are growing more sophisticated, leveraging advanced techniques like zero-day exploits and social engineering to target supply chain weak links.
The consequences of these attacks are severe. They can lead to the injection of malware, data breaches, financial losses, operational downtime, and reputational damage. Moreover, their cascading nature means a single breach can affect hundreds or thousands of downstream organizations, amplifying the impact. For instance, a compromised supplier serving multiple industries—such as healthcare, finance, or defense—could trigger systemic disruptions. In an era of heightened geopolitical tensions, state-sponsored actors also exploit supply chain attacks to target critical infrastructure, raising national security concerns.
The risk is compounded by the difficulty of mitigation. Organizations often lack visibility into their suppliers’ security practices, making it challenging to assess or enforce standards across the supply chain. Traditional cybersecurity measures, like firewalls or endpoint protection, are insufficient against attacks originating from trusted sources. This necessitates a shift toward proactive strategies, such as rigorous code analysis of all third-party solutions and their updates and upgrades.
In conclusion, supply chain attacks represent a potent and evolving threat in today’s interconnected world. Their ability to bypass conventional defenses, combined with the reliance on third-party ecosystems, makes them a favored tactic for cybercriminals and nation-states alike. As businesses and governments digitize further, the potential for widespread damage grows, underscoring the urgent need for enhanced resilience and collaboration across supply chains to counter this escalating risk.
Our observations confirm that security risks in third-party solutions are a major blind spot for many SAP customers. When full code scans in a SAP landscape reveal critical issues in third-party solutions, it's of course the third-party's responsibility to correct them and to improve their processes. However, the mere fact that such code is installed in the customer's SAP landscape shows that security processes at SAP customers don't seem to sufficiently cover third-party solutions. It may seem advisable for SAP customers to carefully analyze each external piece of (ABAP) software before they deploy it in their SAP landscape.
This is the second article in our SAP Add-on series that provides you with insights into risks related to running third-party solutions as well as defensive strategies.
If you'd like to know more about SAP Add-on risks, please contact us. Understanding these risks helps in making informed decisions about which third-party solutions to adopt and how to manage them securely.