The recent column by TechRepublic (SAP’s HANA will lose the big data war without open source, as proven by 21 new security flaws) tries to position vulnerabilities detected and patched months ago as “new news” worthy of market attention. So much for reporting the “news.”
To an extent, it is entertaining that a report by Onapsis, a company SAP collaborates with to ensure responsible disclosure of vulnerabilities, is at the heart of this “breaking news coverage.” We work proactively with software security firms to detect holes in our security way before these security breaches are made public. The vulnerabilities cited in this “news” article were fixed by SAP months ago and customers can download security patches from SAP Service Marketplace.
As a regular practice, we strongly advise customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately. SAP collaborates frequently with research companies like Onapsis to ensure a responsible disclosure of vulnerabilities.
Regarding other assumptions in the column: The probability is high that one day, a vulnerability or a potential leak will be discovered in code, whether it is open source or not. Remember Heartbleed, which was open for years? No code is perfect. In addition, protecting software from vulnerability requires resources and commitment to security which cannot happen in open source.
Security cannot be achieved by the mere choice of whether source code is available to the public or not. Security is a collaborative process that involves individuals, companies, software and hardware vendors, regulators, governments and many other players.
SAP and other innovative companies are accountable for the software they produce and liable for business damage. So, for good reason, we do everything to avoid vulnerability. In addition, it is a known truth in the industry that the techniques and intentions of hackers are getting better. Attacks happen, even with the best software in place (and we haven’t talked about social engineering!). SAP HANA is a good example because it helps detects and analyze anomalies or unusual behavior of applications (Enterprise Threat Detection).
Rather than scaremongering, TechRepublic should focus on more relevant topics regarding software security: how quickly and to what extent can companies detect a dangerous situation and react appropriately; what processes and resources are in place to identify, validate, and fix the issue(s).
In conclusion, I would like to write that SAP takes the security of customer data seriously and has based its development processes on a comprehensive security strategy to enable the delivery and maintenance of secure products and services.