HP’s Zero Day Initiative (ZDI), a program for rewarding security researchers for responsibly disclosing vulnerabilities, reported over 400 high-severity vulnerabilities in 2014, with 24 related to SAP products, according to the HP Cyber Risk Report 2015.
SAP came in fourth for most vendor disclosures in 2014, following Microsoft, Hewlett-Packard and Advantech, and ahead of Apple.
“In 2013, there was a number of SCADA vulnerabilities, but 2014 marks the first year where a SCADA vendor is among the top vendors with vulnerabilities disclosed against its products. Advantech focuses on automation controllers, industrial control products, and single board computers. SAP is on the list due to an audit ZDI analysts conducted against one of its products, which yielded a large number of findings,” the report stated.
Alexander Polyakov, CTO, ERPScan, said the number of SAP vulnerabilities in the report was not only significant, but the criticality of the vulnerabilities was quite high, with affected products including SAP SQL Anywhere, SAP Sybase ESP and SAP Crystal Reports.
