KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentlemen, welcome to our call. Webinar SAP security made easy how to keep your SAP systems secure. This webinar is supported by E P scam. The speakers today are me Martin Ko, I'm founder and principal Analyst at Koa Cole and Alexei. And pakk who's CTO at E P scan. Before we start some short information on keeping a call and some housekeeping information on, then we will dive, dive directly into the presentations, keeping a call.
We are an Analyst company providing enterprise it research advice for services, decision, support, networking for it professionals through our research services, our advisor services and our events amongst our events. There will be an event over the next year in China. And there's our main event, European identity in cloud conference, which will be held again next time May 5th to eight in Munich.
Yeah, clearly some master Tandy one in Europe was more than 600 attendees and a lot of information hundreds more than 100 sessions and speakers. So definitely were spend your time there. We also do seminars, a number of seminars. So most of them currently on German, there will be more English language seminars in 2015. So there's a number of seminars who will hold in various countries in Germany and Austria. The Austrian one is 2015. Clearly have a look at our website regarding the seminars, some guidelines for the webinar.
You are muted centrally, so you don't have to mute or unmute yourself. Or we are controlling. These features you don't have to care about. We will record the webinar and the recording will be available tomorrow, and there will be a Q and a session at the end, but you can answer questions at any time. And I always recommend doing that. Once you have a question that you answer the question so that we have a long list of questions for the Q and a session when we start. And we also might pick occasionally a question during the webinar itself. The agenda for today is split into three parts.
And the first part I will talk about security requirements and SAP environments and how to mitigate these from high level perspective. And then on the second part in the little longer presentation, Alexander Pollak of will talk about an integrated approach for SAP security implemented and lean and efficient way, and have said we will move to the Q and a session. So when we talk about SAP security, so there sometimes the, the, the perception is there, or the, the argument is raised that this is more important than the rest.
And I think there are some arguments for it, and there are some arguments against it. And I think this is about the question. Do we really need to focus specifically on SAP security? Is this really our key concern? I think there, the one argument is that SAP systems usually contain critical business information, contain sensitive information. On the other hand, depending on the industry, there might be a number of other systems that contain critical information as well.
So your, your product, life cycle management and your systems in a lot of specific applications, you might have particularly in finance industry, etcetera. So yes, SAP, if it's there, it's usually it's a business critical system, but there might the others as well. Yes. Businesses rely on well working SAP systems. Another argument for putting more emphasis on the security, particularly with the increase in threats we are facing.
On the other hand, they might be systems which are, are even more critical in, in a number of organizations, because first of all, if the, the production process, for instance, manufacturing lives on the system, which might not, which not necessarily is SAP, this might be far more critical than the system because you might survive well a few hours, not being able to send out invoices, but if your production stops for a while, that might be far more costly. Also, depending on the industry, it might be extremely costly. Yes.
And SAP systems are the major audit target, but there are, I think two arguments your others should keep in mind, auditors are expanding their reach to new targets. So SAP clearly is not the only target it's still the major targets. The other thing is I'm a strong defender of the idea to work for the business, not the audit. So to try to become better, to improve your business, and not only to just be compliant. Nevertheless, if you look at it from a different angle, so is SAP security different from the rest?
Then there are a number of very specific needs for specific SAP security solution or SAP specific security solutions. That would be more correct term. So we see if you look at all the SAP applications, the various types of systems, we see a quite impressive number of different security concepts. And some of them also are quite specific. So if you look at core systems security, exclusively tied to Abba and security concepts are you have somewhat specific to SAP. They need to be understood.
So how do transaction codes, oration objects, types of roles, or if you look at older systems profiles, etcetera relate to each other. So you need a specific knowledge and you need final to deal depths with these challenges, you need a specific type of tools. So mastering SAP security requires a rough understanding of these concepts, the standard security settings, etcetera.
And it's a quite complex environment as all of the ones who are from the SAP area, new, which requires a lot of knowledge and tools, which sort of have built in knowledge, transporters knowledge into best practices, clearly help and becoming better in SAP security. So there's good reason. There's another reason if I look at it more from the sort of the identity access management perspective. So that part of security, which is not the only one, but which is a, an important part of security. So if I look at it more from the perspective of this, how do I manage identities and access?
So who's allowed to do what in the SAP system. And this is a key portion of security. Then we have this systems known as access governance, where we do analytics, collect all the access, entitlements requests, access, where we do re-certification. And we have identity provisioning to write information into the target system. So identity provisioning that might be in SAP, formally that we think right now only SAP identity, identity management, access governance might PDFs, access control. It might be tools from other vendors.
There's a number of vendors providing identity provisioning, access governance tools out there. So there, there are, there's a range of things. And particularly for the, sort of more of the access governance parts, when it comes to SUD violations as ion cation with duties, etcetera, we also see ERPs scan in that space. And Alexander Proov will talk about is later.
So we might have a, a hierarchy of, of roles on that level where we look at business roles, cross system, where we have the system roles, which are exposed and which Martin, and to SAP business roles, for instance, but we might have another hierarchy within the system. So when we look at SAP, we have these hierarchies going down to transactions, starting at a high level business, which makes it clear that we can manage everything from a central perspective.
So the cost brand new we have in, in access governance, identity provisioning is not enough to, to manage system level security in detail. This is I think the, at the end of the day, one of the most important and compelling reasons to add specific tools for some of the major environments, which includes SAP, which might include the active directory or SharePoint mainframe environments and some others. And so that, there's a good reason for, for a specific SAP, a P requires a P security solution. And when we look at what such solution support, then there's a number of areas we are seeing here.
So, so one of these areas is identifying and remediating access risks. So where do people have excessively high access or entire access entitlements? So where can they do more than others can do, but also where do we have segregation of duty conflicts, which then relates to the second bullet point or second to entry here, understanding the access risk and the bad compliance tracks. So all the segregation of duty stuff, cetera clearly is one of these areas. Another areas that uses must be empowered to request and improve access.
We need to support internal and external audit processes, which I think is a very important thing these days, because what we really observe in a number of organizations is that organizations are massively challenged by the fact that they have to spend more and more time for fulfilling audit requests, which then is missing to do the standard daily operational work, but also, which is missing when it's about improving the environment. So a lot of time of it departments is consumed by fulfilling audit requests. We clearly need to get a grip on privileged users and super users.
So SAP is clearly one of these, but also other types of more privileged users, because one hand we know that they can cause more harm. On the other hand, we know that the it attack is particularly external. Attackers are looking to get a grip on these accounts because that's where they can sort of act most grow as efficiently and to the most efficient. So they are looking for that. We need to understand which of these accounts we have. We need to monitor them. We need to understand what could happen, cetera, we, and this is I think, closely related to the other stuff I talked before.
We need to create an audit trail and access related activities to understand who can do what to be able to review what has happened as there been something going wrong, cetera, et cetera. But there are more things we have to look at. And I think that some of these are acquired specific.
No, in fact, they're not really specific to SAP, but they have a, a specific relevance in SAP environments. So one of this is we need to gain inside and critical security ations, which we always should have.
So we always should have a well-defined well sorted standard concepts for baseline security and understand which settings are critical, cetera, cetera, but particularly the sometimes pretty complex security configurations of SAP environments together with the risk of these systems, we need to become even better in managing and understanding these security configurations, and being able to identify where we have critical configuration settings to then either change these settings or to set up mitigating controls.
We need to identify software, our abilities, also something we need to do everywhere. But again, there's a specific requirement in the SAP environments where a lot of custom codes written and where we again have highly critical information. This includes them. And I think this is part of identifying some vulnerabilities. Also the ability to review source code, to understand what is happening in the co code.
Etcetera, we need to enforce standards compliance. So fulfilling various standards we have.
And again, here, it's about this, our configuration ready to fulfill arrival P CDs, as in all the other standards, organizations are facing ISO 20,007. And so on the better we can do that, the less risk we have on the compliance area. So there are number of aspects we have to look at, and this is in fact also what we need to do to mitigate risks in ICP environments, from a high level, what we actually should do is we should put this into a context.
So we shouldn't just have a tool here or a tool there, a understand this as part of bigger story, which when we started right side, starts with the enterprise chair, see where we see at a high level, the risks across the enterprise, not only it, but particularly business. So business usually sounded well by enterprise RC, but we also should show the it risks in that area. We have the it RC with the risks for audits around the it specific aspect. And then we have within the security part and doesn't sort of split off of the two last slide.
I previous slides I had, the one is more the business focused security. So as a de controls, access requests and risks, and the other is more, the it focused security. So will D abilities. Misconfigurations cetera. And we need to, to do this in a, in a consistent way and look at how can we handle that type of security in an integrated approach. This is where I want to hand over to Alexander Pollak, whom I will make presenter now. And he will talk about an integrated approach for SAP security implemented and lean efficient way now. Hi Martin. Thanks for introduction. Can you hear me well?
Yes. Excellent.
Okay, great. So my name is Alexander.
I work in, in European scan company and CTL, I will just briefly introduce you how it was started for me said in about 2007, I'm originally from like the penetration testing team. So during one of the security assessments, I found the SAP system. I had no idea what it, what it is, how to break it, how to analyze its security. There were no information on the internet almost knowing. So I finally found the zero day vulnerability in SAP system got successfully through access to this application.
And when we presented results management, they were very surprised that it's so easy to break such a critical system. And after that I realized, okay, so we have some kind of critical system which starts everything from one side, from another side, nobody knows how to analyze it security.
And it's, it's, it's actually not very secure if I was able to get, find a zero day vulnerability in 15 minutes. So it, it, how it was before and what it, what we have now. So we have a, like a solution for analyzing SAP security. We do lot of presentations about difficult technical aspects in SAP security area, like a lot of new stuff. And what was more important. We also work closely with SAP company started from 2007 in very different directions. We work with the product security response team.
We usually send them information about different vulnerability that we found or different incident that we, we also trying to find. We work with product security team, helping them to, to make a security assessment of latest products. We're also an SAP partner and so well, but you know, one thing is to, to make product secure, what we, what SAP is trying to do very well and we're helping them in this area.
But another thing is to be sure that this product is securely implemented because it's absolutely the different things and the clients, they usually asking different types of questions, like how to protect from the cyber tax and from fraud, how to automate, you know, security checks for the huge landscape. Because if you, if you have one SAP system or two systems, you probably can manage everything manually. It'll be hard, but you can do that. If you have hundred systems, it's nearly impossible. So there are lots of questions in this area.
I will try to answer some of them in this presentation. So from another side, we see that every year, the interest in SAP security is growing. So the number of research talks about SAP security and clinical conferences is growing.
And they, the questions how we can prevent from models, problems, the number of vulnerabilities in SAP systems is, is growing as well. So we have in about, you know, three more than 3000 issues in SAP platforms.
So yeah, it's, I usually don't even have a time to, you know, to update those figures. So, and there were a couple of news about, so sometimes companies, you know, they, if they found vulnerability, they can disclose it without notifying the vendor and disclose source code, which will be not very good for, for the customers. We usually, we work with SAP, we waiting for budget. Then we're waiting for three months for customers to close our vulnerabilities. And then after that, we sometimes publish details of vulnerabilities. And there were a couple of real incidents in that area.
One of the most let's say important is the first malware targeted SAP landscapes. It was originally apart from like, it was a bank Trojan, there was a specific version of bank Trojan, which was created to sniff the SAP. First of all, to analyze if SAP application is installed on the workstation. And if it's installed, the systems tries to snip the passports and user names and also make some screenshots during the user login the SAP system.
So it wasn't like a collection of different information, nothing else, but it, it was the first step of, you know, every attack, nobody knows what they were planning to do with this information, hopefully because we disclosed, you know, all those details publicly and probably prevented some more critical infection. And I think you, you already, you know, if you are here, you already understand that what kind of issues can happen, what kind of things can happen.
If somebody can get access to your brain application is possible to steal corporate corporate secrets, HR data make a service attack in the system. Let's say you have a banking system.
And, you know, if you stop the business processes for, for seconds, you will lose the millions. And there are lots of other risks. So for example, you know, some, some, if somebody can get access to HR system, he can modify the salary. Of course he will not directly because this information is stored in other places, but he can change the, the number of additional hours that this employee work per day. So system will automatically recalculate the, you know, the salary and the employee will get the bigger salary. And this is one of the real example that we sell.
So the, the problem, as I see here in terms of defense is that SAP is mostly owned and managed by the business. And the business is really taking care about security. And only sometimes they care about the segregation of duties sod, because they have a so compliance problems. So such as related to sod and so on from the other side, the thesis or security team, sometimes that even now that their company use SAP. And even if they know, you know, they probably don't have real understanding how to deal with this.
And this is rarely care about, you know, SAP system security, they more focused on infrastructure security. Well, the thing is, if the breach will happen, it'll be assisted responsibility. So there is a gap between those, between owners of the system and the people who are responsible. And our mission is to, to, to help the globe this gap, and to, to give solution that can be used by multiple units. So SAP security is quite different from the typical securities. As Martin said, I can mention that. I can add that it's mostly because of this complexity, SAP solutions, very complex.
You know, the company is so more than 40 years old, it's even older than the Microsoft. So you can imagine how, how much cloud those systems have. But the most important thing is customization.
So, you know, the SAP is not like a software itself. It's more like framework you on top of this framework. Every company build their own solutions. So it's highly customizable and it's highly risky. Sometimes administrators, even don't don't want to update system because it's scared that some things may go wrong because of the updates, some connections with old systems and so on. And another problem is there's, there's still not so many information and about SAP security and internet.
Well, there are a couple of myths as well. Like SAP systems are available internally, which is not true. And we can easily find many SAP systems just by Google searching. And after the Hannah, you can, it's not possible to say the SAP systems is only available internally. They're more and more open to the internet. SAP application. Internals are very specific, are not known for hackers.
Well, maybe was five and seven years before, but now there are even the typical penetration testing tools like Melo. They have exploits for SAP systems. The SAP system security is a vendors problem. In some cases, it's a vendors problem, of course, but if you don't configure, you know, password policies and you know, if you don't change, if all password CR problem, it's not that vendors problem. And of course, safety security is not only about a D. So as we see, there are three areas in SAP security.
It's first one is of course the business logic, the segregation duties is like the existing control. And we're trying to prevent from attacks and mistakes made by insiders. The second is the custom called security. When we're trying to prevent from tax and mistakes made by developers or third party developers, itll, it can be, you know, vulnerabilities, but also it can be bankers. And third area is application platform security, where we trying to prevent from ized taxes, from internal and from remote attacks.
This is everything about, you know, password policies, vulnerabilities, unnecessary enabled web services before passports and so on over network platform, security of things. And for my opinion, this area is much more important than to others. Because if you want to, if you, if there is an issue in the first two areas to explore this issue, you need to have some kind of access to system. Yeah. But if you have vulnerability and application platform with remote buffer flow, you don't even need to have access to system. You don't need to be an employee, you can exploit it.
So in terms of defense, what we have right now is the current security solutions like vulnerability, assessment, security management, application, security testing, body, one little coverage of SAP. And honestly that they don't cover it at all. There are only some, some typical checks and some tools from the other side solutions, focus on SAP security are much more effective, but they only cover one of is areas.
And, and, and another thing, which is also important, they are very SAP specific, like, you know, the security officers, they everybody know that SAP SAP platform is hard to understand. You need to, you know, work with this a lot. So if you just give somebody access from the security area, access to SAP, to, you know, to configure security, it's very hard. So they wanted to have some kind of solution that we understand how to work. So as we see the how to deal with that is there should be a platform for everybody.
So that SAP people, SAP S guys, developers can connect to this platform, can somehow analyze their, solve their problems. The security guys like guys, like they also need to be able to connect this platform and to see like dashboards or something and risk management. So all the people can connect this platform and this platform should cover all the possible aspects. And of course, it should be a complimentary to SAP things like SAP, G, C, and an extent those offerings in specific areas, which are not covered.
So, and we're trying to, you know, solve this, those problems in our product successfully made many steps in this area. And plus there are many things to do, but I can show you what, what we have right now. So the Iris can still monitoring field is a client server application, which can be install on the server on virtual or virtual appliance and the cloud everywhere. And you can, it can be used by multiple users. So you can remotely log in, have your own system ID. So your own system, right. And system, you can be SAP administrator security guy, or even penetration tester.
So the platform is integrated API with other solutions like security event management and geo tools. And also with like ticketing, ticketing systems. And we connectors with different types of SAP applications, like from and Java to ha and business subjects and mobile applications. And we have three modules, it's a vulnerability management source called scanning and the segregation we just, which can be used together or separately. But of course the, if you use the model together, get much more insights on the system.
And in details, if you look at that, we try to solve, you know, all the potential needs of enterprise clients, like give the different metrics to see statistics, how security foster is changing during the time. So you can schedule projects and understand to see changes. You can compare to different scans and you can find it information like, okay, like last week, there are 10 users with SAP rights, and now we have 11 users. So this new user with SAP rights, it's investigate this issue and export results in the different formats, different tools and generate reports.
And of course, to be more enterprise, you can, you know, manage all those projects to generate different, different templates. So select what kind of checks you want to have manage your landscape automatically identify all the related systems, do the risk management. So the system can show you all the is a criticality probability type of vulnerability, like is there is not exploit on the internet and lots more things.
And, and you can, you know, ask different types of risks based on those figures. You can, if you don't like the risk, that system will show you, you can change the risk, you can accept risk. And so on. You can have a notifications if something is happen and can generate task for, for specific employee. And in terms of three module like vulnerability management can allow you to do like box testing, wide box security, scanning, budget, security budgets, analyzing you can actually exploit vulnerability and check for different types of compliance and even check password trends.
And it always works for different types of platforms. In terms of the source code, we scan the source code for, from repository, from development request and, and looking for, to this static code analysis and data flowing control for analysis to identify different vulnerabilities and hundred 30 plus types of vulnerabilities in above and Java programs. We are happy to announce that we also support the agile based applications like web services and XNL security checks. And of course they above.
And that's what ion do you can, you can use this model simply just to check what kind of critical actions can every user do. It's not a segregation is just a list of critical actions, but we have redefined in place for different systems models and even industries. So like you can have a, you can use a template for oil and gas for banking industry and so on. So we have preconfigured list of transactions in those areas. And of course you can modify those transactions.
And I have a couple of like, like, let's say case studies, which can answer a couple of questions, like how to automate security monitoring for the big landscape using this tool, a case for one large oil company, the solution was to configure this tool to break this can to cover most critical asset assets, then configure expert results to IBM curator for, for correlation of all other, you know, events and vulnerabilities. Let's say they manage everything. Is this cured our platform. They also managed the vulnerabilities in the operation system and so on and network environment.
So they correlate all together with SAPs things and managers can see, you know, the trends and dashboards. And it also configure the, we have a function to generate the PowerPoint presentation report. It's a high level present report, this presentation to management. So we configured system to send weekly PowerPoint presentations report to by email, just for the high level overview of SAP security. So that's how they deal with huge landscapes.
Another issue that most of the budgets team teams are facing is how to minimize that time of secur of systems during updates, because every month it should be released about 30 to 50 batches, and they need to minimize time of, you know, to update because some updates require system reboot. So solution was to what we can can do is we have two options to scan scan for the missings SAP security node for more than 3000 security net. And the system can show you like criticality CVSs for probability, if there's an expert in the internet and so on and so on.
So you can filter all those issues and categorize them. And finally find only like five issues instead of 30 issues that you need to patch right now. And you also run remote scan for the black box vulnerabilities and then system correlated data. And finally, you will get the report with just the, those vulnerabilities, which really exist in the system can be explored about exploited and which you need to push right now compliance. So compliance regulations also, we provide the step by step approach.
So solution was first of all, to select what kind of compliance this company need to use is PCSs solve and compliance. Then if you're talking about technical aspects, you can select different types of guidelines like SAP guidelines, ISER guidelines, DS, and our own guideline is which call S sec. The cool thing about this standards only 33 most critical checks. So if you have a huge landscape, you can run this type of compliance, you know, to deal, deal with most critical issues. Then to then run the, another type of compliance, like SAP guidelines, then I a guidelines. And then the next one.
So you can have a step by step approach to security system. So it's not like we have about 7,000 plus checks, security checks. So if you run them all, first of all, so you will have lots of issues. So that's why we have this approach to run different types of compliance so on. And you can add, you know, industry related checks for your own. So you can have your own guideline made from all those listing guidelines and add your industry related checks like for banking, retail, or other industries. And I think the last thing is to help to have security consulting companies.
We also have a, like a consulting version. So consulting companies usually want to provide, you know, security assessment or penetration testing with minimum time on doing it so they can, if they can do it manually, if you last for months or even half the year, because it's how we also started. We started as a middle assessment. And after that, we decided that we need to have a tool at least to help ourselves. The solution is to use a vulnerability management module and run the black box testing and the black box testing. We have a option to actually exploit the vulnerabilities.
So you can exploit most of the vulnerabilities, you know, get, get access to business, critical data like run business, focus, payloads, like download data from list of customers and this, and you can present this results to management and will be very easy. So we're also matching different requirements of enterprise customers, like, you know, multiple SC compression and customer to blades and so on. And it's for the strength of the solution. Solution is 300 degree approach. So you can address all types of problems like vulnerabilities are start issues and segregation duties.
And even if you have some solutions for some of those areas, you can choose only one. But if you combine, you know, all the modules, it gives you much more visibility because you can correlate data from different, different modules. Like you can find how many, the list of problems with vulnerabilities. And then you can look at how many users can actually execute those programs.
And, you know, if those users use critical passwords and so on, so it gives you much more visibility of, of security. So thanks for listening me. I hope you enjoy this talk and I, I'm very keen to listen your question center, answer them. Thanks. Thank you, Alexander. And right now I will switch back to me and ask you to enter your questions on the go control panel so that we can provide you with answers on these questions. We already or already have some questions in front of me. So Alexander, what is from your perspective, the sort of single biggest risk in SAP environment?
Well, single single business risk, The single biggest, the single, the one which you find is the most one across sort of the various risks you are, you are looking at. So I think there's a broad range of things. And so if you would say this is the, the most, most critical thing you see in SAP environments. Yeah. What would you rate first? Sure. So we have ESEC project where we actually created all the types of areas by, you know, by criticality probability and so on. And according to this guideline, the first one is the vulnerability management.
The second one is a password Porwal the third one is unnecessary enabled functionality or services and that services and so on. Okay. So vulnerability management is from your perspective, really, if you look at what can happen, how big the risk is in the probability, the number one saying Sufficiently Addressed. Okay. The same question. Go ahead. Yeah. I mean the most critical it's most in most cases, very easy to use. It appears in every, almost every company. So it's in the first place, but it's very close to the second place, which is the default passwords. Hmm. Okay.
Another question. So how relevant are SAP exploits really in the external tech community? So you said that you, you came from a penetration testing area and probably have some insight. And what are the things which are discussed them or which are, are used as external, which are more common to you in, in your presentation yourself. At one point today, there are it's part of Panas it's there is knowledge. So could you maybe talk a little bit more about sort of the observations about how relevant, how important, how frequent SAP appears in the sort of attacker communities? Okay.
So If you look at the number one to seven and nine to seven and eight, the number of companies who were involved in security research were about four or five companies, maybe less and, and year by year, the number of companies who looking for the vulnerability and SAP system increased by twice because, and it's a public information. You can go to the SAP acknowledgements page and you can find many new names every year. So now there are almost about 60 different third party companies that send at least one accountability to SAP.
So here, so every year, this becoming more and more popular and the typical security tools, as I said, like a Metallo, they have more and more related exploits. So even script carriers can exploit them and use them. And in terms of how, how often is that know, usually the SAP release about 30 to 50 batches every month, and about 30% of them is from the third party. So they usually publish some kind of advisories or some kind of information. And after three months, and those of them who really follow like the rules, they publish some details in, in three months.
And some of them can just publish it right after their page. And maybe one or two, three of vulnerabilities every month can be found with details and real exploits. So every affected by one to three potential vulnerabilities. And here I'm talking only about vulnerabilities that third body companies looking at, but nobody knows, you know, how many issues were found by the black hat guys and how many issues are really now used by, by them. Okay. Final question.
At least from the ones I already have here in front of me, on which platform does the tool run services, AAP tool or travel tool, or where does it run? Yeah. Okay. So the beginning, this, the idea of this platform was that the independent platform, so that you don't need to install something on SAP, you don't need to install agents on SAP, and this platform should be used by, you know, by penetration testers from the laptop or by large organizations on the server. And we choose the, you know, Java.
So it based on the Apache Toca web application server application server, it's Java application on the server, and you can use web browser as a client. So which means it can be installed and different types of environment. And they are, the great thing is that, as I said before, it's agentless. So you don't need to modify somehow your SAP system, you don't need to install agents. The only thing you need to provide is connection here, user name and the password to download the data.
And even this data is not, it's not needed sometimes if you just want to run like a penetration testing scan or black box scan, you don't even need to specify using names in the password. You can just specify the IP range of human network, round the two, and to automatically find oh, SAP systems related services, versions, and the vulnerabilities and potential exploits.
Okay, perfect. So I have no first questions here. So first of all, thank you to all attendees for listening to discovery and call webinar, and thank you, Alexander for presenting and providing so much interesting and valuable information. Thank you. Yeah. Thanks Martin.