Statistics document: SAP Security know-how is a scarce resource
Since January 2010 SAP AG officially thanks security researchers across the world for their work. There is a dedicated page for this on SCN: https://scn.sap.com/docs/DOC-8218. It lists researchers (and their affiliated companies/organizations) and which SAP Security Note solves the vulnerability (AKA Zero Day / 0-Day) they discovered.
I took the liberty to perform a statistical* analysis (based on the data from March 2013) of all entries on this page and got some pretty amazing numbers I want to talk about.
All in all 36 different organizations are involved in all reported vulnerabilities. 33 of them are companies, 2 are universities and the public sector is also mentioned once.
The 296 listed entries credit 355 contributions of different researchers. All in all 72 (named) researchers were involved. I find the following details striking:
- 50% of all reported vulnerabilities in SAP products originate from only 2 companies
- 80% of all reported vulnerabilities in SAP products originate from only 7 companies, representing 20% of all involved organizations
- 50% of all reported vulnerabilities in SAP products originate from only 8 researchers
- 80% of all reported vulnerabilities in SAP products originate from only 23 researchers
- The top 4 researchers were involved in 33% of all reported vulnerabilities
- The top 10 researchers were involved in 55% of all reported vulnerabilities
This clearly shows that SAP Security know-how is distributed across very view people/organizations in the world. Therefore good advice in that field is definitely hard to get.
*Some notes regarding the statistical analysis:
SAP lists 296 entries that relate the work of security researchers to SAP security notes. However, I have to point out that sometimes (yet rarely) different organizations report the same vulnerability independently. This means that in some cases multiple researchers/organizations received credit for the same SAP security note. On the other hand SAP also bundles (different) vulnerabilities (from different researchers of the same organization) into a single note every now and then. This means that a single SAP security note may close more than one vulnerability. Consequently, you can’t (easily) deduce the number of vulnerabilities from the number of SAP security notes. However, for the sake of simplicity in this analysis, I act on the assumption that one SAP security note corresponds to one vulnerability and that every credit from SAP can be treated individually. This simplification leaves some room for friends of Mark Twain though ????
The dark figure of vulnerabilities that have not been reported can of course not be statistically investigated…