Dynatrace and SAP expand partnership to help retailers drive better business outcomes

Dynatrace announced its expanded partnership with SAP will help prepare the world’s leading retailers for a successful Cyber Monday and beyond.

This multi-year agreement positions Dynatrace as a strategic observability partner for SAP Commerce Cloud. This means Dynatrace’s digital experience monitoring capabilities, including real user monitoring and synthetic monitoring, and precise answers from its AI-engine, Davis, are now available for SAP Commerce Cloud, digital experience monitoring, which customers can subscribe to via the online SAP Store.

The solution enables retailers to maximize customer satisfaction and online conversions by optimizing every step in their user journey, from the first click on a mobile app or website, to code-level insights detailing the performance of underlying cloud services.

“As a part of our digital transformation efforts, we needed to migrate our e-commerce to a more advanced platform. This required digital experience monitoring to understand precisely which improvements to prioritize and ensure everything performs as expected,” said Christoferson Chua, B2B E-Commerce Lead Developer, at ASICS.

“The combined power of Dynatrace digital experience monitoring and SAP Commerce Cloud helps us understand and pinpoint bottlenecks across our e-commerce integrations, enabling our teams to proactively drive innovation and optimizations to achieve a fast and responsive storefront. Ultimately, this allows us to strengthen our relationships with customers and partners, as well as our brand value.”

According to recent research by Deloitte, 2020 e-commerce holiday sales are expected to surge by 25% to 35% compared to 2019, reflecting consumers’ preference for online shopping in the wake of the pandemic.

As retailers look to elevate their digital strategies, and competition intensifies, continuous optimization of digital user experience has become essential to the bottom line.

By embedding Dynatrace’s AI-powered observability and digital experience monitoring capabilities into SAP Commerce Cloud, customers gain a deeper understanding of applications and microservices running in their environment, including third-party services.

Dynatrace can identify anomalies, such as mobile app crashes, errors, or performance issues, prioritize them by business impact, and supply precise root-cause determination. This enables digital teams to understand how application performance and new features influence business KPIs, including conversions and revenue, so they can continuously optimize user experience across mobile, web, and other edge-device channels.

“Imagine you’re a retailer, and during Cyber Monday your mobile app or website crashes. What would you do?” asked Michael Allen, VP of Global Partners at Dynatrace.

“Extending Dynatrace’s AI and digital experience management capabilities to SAP Commerce Cloud helps retailers know exactly what’s happening in their environments, across mobile, web, and other edge-channels.

“They can see where the highest-impact issues are, and how the performance of their digital services impacts business outcomes. This helps ensure, even during the most critical moments and heavy-traffic days, digital experiences work perfectly.”

“As an analyst-recognized, market-leading commerce solution, SAP Commerce Cloud is focused on delivering the best possible commerce experiences and outcomes for our customers so they can do the same for their customers,” said Riad Hijal, Global Head and VP, Commerce Strategy and Solution Management at SAP.

“Reliable observability capabilities are a foundational element of a highly available commerce solution. By incorporating Dynatrace’s observability and digital experience monitoring capabilities within SAP Commerce Cloud, customers will be further empowered to monitor the full, end-to-end landscape, from infrastructure and application performance to digital journeys on commerce storefronts.”

September 2020 Patch Tuesday: Microsoft fixes over 110 CVEs again

On this September 2020 Patch Tuesday:

  • Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
  • Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
  • Intel has released four security advisories
  • SAP has released 10 security notes and updates to six previously released notes

September 2020 Patch Tuesday

Microsoft’s updates

Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.

Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.

“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”

Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.

“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.

“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”

Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.

Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.

CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.

“As COM is the base framework of Microsoft services like ActiveX, OLE, DirectX, and Windows Shell, if left unpatched it would give a malicious player a large target to focus on when seeking out vulnerabilities in a network. Given that the exploit can be taken advantage of through a simple malicious JavaScript or website, potentially delivered through a phishing email, it is necessary to address to minimize a network’s attack surface,” noted Richard Melick, Senior Technical Product Manager, Automox.

He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.

“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.

Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.

Adobe’s updates

Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.

The AEM and AEM Forms updates are more important than the rest.

The former fix eight critical and important flaws, most of which allow arbitrary JavaScript execution or HTML injection in the browser. The latter plug three critical security holes that carry the same risk (i.e., that of an attacker running malicious code on a victim’s machine).

The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.

None of the fixed vulnerabilities are being currently exploited in the wild.

Intel’s updates

Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).

The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.

SAP’s updates

SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).

Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.

Intel, SAP, and Citrix release critical security updates

August 2020 Patch Tuesday was expectedly observed by Microsoft and Adobe, but many other software firms decided to push out security updates as well. Apple released iCloud for Windows updates and Google pushed out fixes to Chrome. They were followed by Intel, SAP and Citrix. Intel’s updates It’s not unusual for Intel to take advantage of a Patch Tuesday. This time they released 18 advisories. Among the fixed flaws are: DoS, Information Disclosure and EoP … More

The post Intel, SAP, and Citrix release critical security updates appeared first on Help Net Security.

Critical flaw gives attackers control of vulnerable SAP business applications

SAP has issued patches to fix a critical vulnerability (CVE-2020-6287) that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker.

CVE-2020-6287

The flaw affects a variety of SAP business solutions, including SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP HR Portal, and others.

About the vulnerability (CVE-2020-6287)

Discovered and reported by Onapsis researchers and dubbed RECON, CVE-2020-6287 is due to the lack of authentication in a web component (LM Configuration Wizard) of the SAP NetWeaver AS for Java versions 7.30 to 7.50. The vulnerability can be exploited through an HTTP interface – typically exposed to end users and often to the internet.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,” the US Cybersecurity and Infrastructure Security Agency (CISA) explained.

Onapsis is set to release a report with more information about the flaw, but the CVSS base score it received (10.0) defines it as being easily remotely exploitable without prior authentication and without user interaction.

Patch quickly

The vulnerable component is used in many of SAP’s solutions: SAP S/4HANA, SAP Enterprise Resource Planning (ERP), SAP Enterprise Resource Planning (PLM), SAP Customer Relationship Management (CRM), SAP Supply Chain Management (SCM), SAP Enterprise Portal, SAP Solution Manager, and many others.

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems,” the agency noted.

“Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.

Onapsis researchers say that a scan they performed showed 2,500 vulnerable SAP systems exposed to the internet.

Virtustream’s new services improve application availability SLA for mission-critical SAP applications

Virtustream, an enterprise-class cloud company and Dell Technologies business, announced new Managed Availability Services designed to deliver 99.95% availability for mission-critical SAP applications, giving peace of mind to enterprise customers who require the highest level of up-time for their applications.

The new Managed Availability Services complement Virtustream’s extensive xStreamCare services portfolio, extending its end-to-end support – from migration to management – for customers’ SAP applications on the Virtustream cloud.

In order to optimize SAP applications, Virtustream already offers availability service-level agreements (SLAs) for both infrastructure (99.999%) and applications. However, customers can now implement Managed Availability Services to improve their application up-time SLA from 99.9% to an impressive 99.95%.

“There are very few cloud companies that can offer the technology stack and deep expertise necessary to deliver 99.95% availability for mission-critical applications,” says industry analyst Matt Eastwood, Senior Vice President, Enterprise Infrastructure, Cloud, Developers and Alliances, IDC.

“That amounts to just a few hours per year of down-time. As cloud vendors continue to innovate and dial into the real-world requirements of enterprise customers, it’s services like these from Virtustream that will truly stand-out for customers with business-critical workloads in data-intensive sectors like banking and finance, retail, healthcare, manufacturing, oil and gas, higher education and research.”

“With thousands of SAP migrations in our experience, our deep expertise and proven methodologies appeal to enterprise customers across all industries,” says Rob Scott, Vice President of Professional and Managed Services, Virtustream.

“We’ll continue to broaden our SAP services portfolio and enhance our cloud platforms to deliver the solutions that our customers require for their complex IT environments.”

Managed availability services ensure higher up-time for mission-critical apps

Businesses hosting their SAP applications on Virtustream’s cloud can now take advantage of its new Managed Availability Services, an add-on to Virtustream’s existing xStreamCare services for SAP applications. The new services increase application availability, further reducing the costs and business risks associated with planned and unplanned downtime.

The Managed Availability Services combine deep application-aware monitoring with automated failover capabilities to ensure maximum up-time for an enterprise’s most critical SAP applications. The solution actively monitors the entire SAP environment, including servers, storage, operating system, network, databases and applications to detect and remediate problems early.

Managed Availability Services leverage enterprise-class technologies, such as SAP HANA® system replication (HSR), in order to provide numerous customer benefits, including:

  • Superior protection against hardware and software failures
  • Potential of near-zero planned downtime
  • Cohesive, end-to-end approach for each stage of the journey for a one-hand-to-shake experience.

The service consists of clustering software licenses and the planning and deployment of a cluster, including provisioning, installation and configuration. Available today globally, click here to learn more or here to contact us today.

New services complement Virtustream’s growing xStreamCare Services portfolio

xStreamCare Services provide a comprehensive suite of professional and managed services for customers looking to migrate applications to the cloud, with a specific focus on leveraging Virtustream’s decade-long experience, automation, end-to-end processes, and deep technical expertise in migrating and managing mission-critical SAP applications.

This suite of services helps customers modernize their mission-critical applications in the cloud, and includes personalized, white-glove services for planning, migration, integration, and optimization.

As a complementary piece to the xStreamCare services portfolio, Virtustream’s new Managed Availability Services extend the broad choices available for customers running on Virtustream’s cloud, ensuring their applications can deliver the highest levels of business value attainable.

The potential impact of SAP security remediation

More than two thirds (68.8%) of SAP users believe their organizations put insufficient focus on IT security during previous SAP implementations, while 53.4% indicated that it is ‘very common’ for SAP security flaws to be uncovered during the audit process. These are key findings of the SAP Security Research Report by Turnkey Consulting.

SAP security remediation

The research also uncovered that most respondents were not fully equipped to manage risk. A fifth (20.8%) felt most businesses did not have the skills and tools to effectively secure their SAP applications and environment, with 64.3% saying they only had some skills and tools.

Looking at specific concerns, nine out of ten (93.2%) people thought it was likely that an SAP audit would flag access management issues. Privileged or emergency access was also a major concern with 86.4% believing it was common or very common to have audit findings specifically related to it.

However, the research also showed a growing awareness of the security challenges faced by today’s enterprise, with the adoption of ‘security by design’ regarded as a solution. 74.0% expect IT security to take greater priority in future SAP deployments, with 89.6% agreeing that security specialists should be brought on board to support their SAP S/4 HANA transformation programs.

Richard Hunt, managing director at Turnkey Consulting, said: “The findings of this survey mirror our day-to-day experiences; SAP security is often an afterthought on SAP deployments, with the result that not enough time and resource is allocated to the essential security activities that need to take place throughout the project.”

“However it is encouraging to see that boardroom awareness is growing as the general business environment becomes increasingly focused on compliance, data protection and cyber security. This understanding will drive organizations to take the critical step of designing security into implementations from day one.”

Turnkey undertook its inaugural SAP research to determine organizations’ preparedness as the SAP landscape undergoes a time of transition and the deadline to adopt SAP S/4 HANA approaches. The SAP ERP offers extensive user benefits in terms of increased interconnectivity and mobility, but risks leaving SAP applications and infrastructure open to exploitation.

“Rolling out SAP S/4 HANA requires significant investment and organizational commitment. This reinforces why building in security from the start is vital if remediation, which is costly from both a financial perspective as well as in terms of business disruption, is to be avoided further down the line,” Hunt concludes.