By Alan Bavosa, VP of Security Products at Appdome

The mobile app economy will continue to expand at an increasing pace, as evidenced by consistent data from Appdome’s consumer surveys, spanning over 75,000 consumers across 12 countries in 2021, 2022, and 2023, that reveal a migration to the mobile app channel to buy, save, share and support the brands they love. Mobile app traffic is now the dominant channel for brand interaction. As the mobile security space transforms from a niche, specialty market to a mature industry, regulatory and compliance scrutiny are also heightened. With scrutiny and compliance requirements intensifying in regions like LATAM, APAC, the US and the UK – the cybersecurity industry will witness a surge in emphasis, and demand, for mobile security and mobile-centric hiring practices in 2024.

Consumer expectations for mobile app security are growing and so is regulatory and compliance scrutiny. This means that mobile brands and developers must accept that the onus of protecting global consumers from cyber threats – be it hacking, data theft, fraud, or malware – falls squarely on their shoulders. More directly stated: users do not want to own security and are holding brands accountable for the protection of all personal data, and beyond.

In the U.S. alone, according to Appdome’s 2023 consumer survey, an eye-opening 73% of consumers confessed they would drop an app quickly if they sensed even the slightest weakness in security – and will abandon brands that don’t seem to care about their security or protect them.

Mobile consumers are becoming more and more cyber-savvy and expect app makers to build comprehensive security into mobile apps, moving the baseline from basic cyber protections to comprehensive mobile app defense. In fact, the survey found that consumers expect mobile brands to go one step further by preventing fraud instead of detecting and reimbursing them after it occurs. A staggering 82% of mobile consumers said they preferred mobile brands to stop mobile fraud before it started. Only 15% said they prefer to be reimbursed after it happens, and only a negligible amount (about 2%) said fraud protection is not important to them.

When asked who should bear the responsibility for mobile app protection, the majority of global consumers (56%) said they expect the mobile brand or developer of the app to protect them.

To meet the growing demands of consumers and regulatory entities alike, cybersecurity teams must start adopting developer best practices to ensure not only compliance but also cyber resilience. Cyber resilience in mobile apps is the ability to withstand and recover from security incidents or attacks in real time. For the longest time, the thought has been that mobile app developers should adopt cybersecurity best practices.

The release cycle for developing or updating mobile apps is very rapid – and short – with the entire workflow, including every tool used within, being automated. Traditional mobile app security tools, however, are the exact opposite of this as they rely on manual effort or impose cumbersome operations, and do not fit into the DevOps workflow – at all. This leads to security being ignored altogether, or the implementation of “bare minimum” security measures, which still requires a large time and effort commitment by the development team.

Tools, such as those provided by Appdome, that give developers a way to implement comprehensive security in a way that fits right into their existing, automated workflow, without any work on their part, are crucial for effectively implementing cybersecurity best practices in the development cycle.

Put simply, the only way that cybersecurity is going to have a true seat at the table is when the industry starts to adopt DevOps best practices. Cybersecurity would thus have an agile and rapid way to build their security model to protect against new threats and attacks that they were able to identify in production.

As before, data from Appdome’s 2023 consumer survey revealed that mobile applications dominate the consumer share of mind and wallet. Additionally, consumers now ‘feel the pain’ and have begun to take any lack of protection in the mobile apps they use personally. Going further, they openly place the responsibility for mobile app defense on the mobile brand and developer providing the app.   Mobile brands are advised to listen to consumers’ biggest fears like hacking, fraud, and malware, and respond to the high cyber and anti-fraud expectations consumers have in using mobile apps for life and work.

A company’s mobile cyber defense culture should always protect the customer first. What is encouraging is that the reward for developers for protecting Android and iOS apps and users is better than ever – an overwhelming 93.6% of global consumers confirm a willingness to promote mobile apps and brands to others if they felt like mobile apps were protecting them, their data, and use. All the more reason to make mobile app protection a top priority.

Photo by Towfiqu barbhuiya: https://www.pexels.com/photo/close-up-of-a-smart-phone-with-a-lock-11391947/

By Christoph Nagy, SecurityBridge

As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default – there will always be security challenges, and SAP is no exception.

In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them.

1. Incomplete Patch Management:

Patching is one of the most significant tasks and security concerns in SAP. Patches, or “SAP Security Notes” (that are, in general, released every 2nd Tuesday of the month) often contain critical security fixes that address vulnerabilities. Failing to apply these patches promptly can leave systems vulnerable to known exploits, as cybercriminals often target systems with known vulnerabilities.

2. Default Credentials:

One of the most prevalent SAP security issues is the use of default or weak passwords. SAP systems often come with default usernames and passwords that are well-known. If organizations do not change these defaults or enforce strong password policies, it becomes relatively easy for attackers to gain access or escalate privileges.

3. Inadequate User Authorization controls:

Role-based access control (RBAC) is crucial in SAP systems, but many organizations struggle with proper role and authorization management, with poorly managed user access being a common issue. Organizations must implement robust role-based access controls (RBAC) to ensure that users have only the permissions necessary for their roles. In fact, failing to do so can lead to data breaches and unauthorized activities. Overly permissive roles or insufficient segregation of duties (SoD) can lead to unauthorized access and fraud – conversely, overly restrictive roles can hinder productivity.

4. Unsecured Interfaces:

SAP systems often have multiple interfaces for communication, including RFC (Remote Function Call) and HTTP. Attackers can exploit inadequately secured interfaces to access and manipulate SAP data or move easily between SAP systems and compromise the entire landscape. There are several ways to secure the interfaces, for example, by avoiding passwords by configuring trust between systems or by using UCON functionality of SAP to lower the attack surface drastically. Another measure is to enable data encryption, as it is essential for protecting sensitive information both at rest and in transit: without proper encryption measures, data can be exposed to eavesdropping and theft.

5. Inadequate Authentication:

Weak authentication mechanisms, such as: simple passwords and insufficient authorization checks, can result in unauthorized access and privilege escalation. Organizations should implement multi-factor authentication (MFA) and regularly review and update authentication policies. When it comes to SAP, enforcing Single Sign-on greatly reduces the attack surface and the password reset effort by the teams.

6. Insecure Custom Code:

Again, no digital system is perfect and the custom-developed code within SAP environments can introduce security vulnerabilities. Organizations must enforce regular code reviews and security testing to identify and remediate issues in custom code.

7. Poorly Managed Security Logs:

Many organizations still do not activate SAP Security Audit Log in their systems, which leaves a huge gap in terms of incident investigation. Proper logging and monitoring are essential for detecting and responding to security incidents. Inadequate or misconfigured logging can make it challenging to identify suspicious activities or breaches. Organizations need to establish robust monitoring and alerting systems to stay vigilant against potential threats.

8. Configuration errors and leaving settings on insecure defaults:

Misconfigured SAP systems can expose sensitive data and functionality to unauthorized users. This includes incorrect or overly permissive settings / parameters for database and application servers, network configurations, SAP components like Message Server, RFC Gateway and the ICM, and user authorizations. Configuration errors are often the result of human oversight or lack of expertise. Hence, 4-eye principle must be applied wherever possible, while performing configurations.

9. Lack of Security Awareness:

Employees and users can inadvertently introduce security risks through actions like social engineering or falling victim to phishing attacks; regular security training and awareness programs are essential to mitigate this risk.

10. Obsolete and Unsupported Systems:

Running outdated or unsupported SAP systems, Operating systems, and Databases can be a significant security risk. These infrastructures are more likely to have known vulnerabilities that attackers can exploit. If an SAP system is decommissioned, proper steps must be taken to ensure that all users are locked out, and the data is deleted to prevent unwanted data usage; sometimes, even decommissioned systems may contain sensitive business data.

In conclusion, SAP security and proper configuration management are critical concerns for organizations due to the sensitive nature of the data managed within SAP systems and how business-critical they are. To mitigate these top 10 security issues, organizations should establish a comprehensive SAP security strategy that includes regular patch management, robust access controls, secure custom code development, and ongoing user training. Organizations should stay informed about the latest SAP security vulnerabilities and best practices to adapt their security measures accordingly. Addressing these security challenges is essential to safeguard the CIA triad (Confidentiality, Integrity, and Availability) of SAP systems and the information they contain.

Christoph Nagy

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

By James Allman-Talbot, Head of Incident Response & Threat Intelligence, Quorum Cyber

There are few things scarier than having your account compromised. It doesn’t matter if it’s a corporate account or a personal one that’s fallen into the hands of a bad actor. The initial wave of confusion—Hey, why isn’t it letting me in, or I don’t remember making that change—quickly turns to dread as you realize what has actually happened: someone has gained access to your account and all the information in it, and has the power to act on your behalf, likely to a damaging degree.

Before that dread can turn into panic, take a breath. There are in fact things you can, and should, do in the event of a valid account compromise, and once you’ve taken a moment to collect yourself you should jump right on them. Panicking is bad, but you still don’t want to delay.

• If you can still access the account, change your password—immediately. Don’t reuse a password utilized on other accounts, and don’t change it to some variation of the old one (adding an exclamation point to the end of the old password is probably the first thing the hacker would guess if they try to get in again).
• If the account is one where you can see and edit active sessions: close all of them. Obviously, if you see a session that is active on your account from halfway across the world, that’s probably where the person is who is in your account, but geographical data can sometimes be spoofed so it’s best to shut down all sessions to be safe.
• You also want to contact people who can help you lock down the account and undo any damage. If it’s a corporate account that was hacked, reach out to your IT and/or security department—if you have a data protection officer, they’re the best contact—and let them know what happened. They’ll direct you on the next steps and help you determine what data was accessed and actions taken by the attacker.
• Alternatively, if it’s your own personal account, contacting customer support for the application, site, or service should be your next step. They should have the tools to help you ensure your account is secured and undo any actions that the account took that you did not authorize.
• Two-factor authentication (2FA), where you have to enter a code sent to your email or phone via text, is your friend. If 2FA wasn’t enabled on the account before, do it now. It makes it more difficult for someone to gain access to your account even if they’ve managed to discover your password. Yes, we all feel that mild ping of annoyance when we have to toggle over to another app to get the code, but I promise you that dealing with a hacked account is far, far more irritating (and lasts a lot longer).
• Similar to closing out active sessions on an account, check for suspicious activity that might point to how the account was compromised or what the person who broke in got up to. Unauthorized purchases, odd activity, or specific data accessed—figuring out what damage they did will help you undo as much of it as possible.
• Use that same password for other accounts? Change your repeated passwords elsewhere, starting with the email address tied to that account; oftentimes, hackers don’t stop at one account, and the email address (which is usually the most reliable backup for regaining access after an account locks down) is usually their next stop. For any accounts you have to change this way, it’s a good idea to do all of the above steps as well to see if they already accessed those accounts without you realizing.
• It’s best to use a fully unique password for every account (again, especially your email). We all have countless accounts that are secured by passwords, so use a password manager to help keep track of those passwords and generate strong, unique ones you don’t have to worry about forgetting.

Accounts are compromised all the time, and while it’s nearly impossible to guarantee it’ll never happen to you, the above steps can limit the damage that is done when you’re hacked and help prevent it from happening again. Remember, if you notice weird activity on your account or start receiving authentication requests from 2FA-enabled accounts that you didn’t generate, that’s a sign that something is amiss and action should be taken quickly.

James Allman-Talbot is the Head of Incident Response and Threat Intelligence at Quorum Cyber. James has over 14 years of experience working in cybersecurity, and has worked in a variety of industries including aerospace and defense, law enforcement, and professional services. Over the years he has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations, and has worked closely with board level executives during incidents to advise on recovery and cyber risk management.