"To get a better picture of SAP as a vendor and their products, it's more interesting to look at response times, like time-to-patch, and the types of vulnerabilities being addressed in the products," Eiram said.
Based on an analysis of 56 vulnerabilities that third parties reported to SAP, the vendor is not fast at developing and releasing fixes, Eiram said. The company's average time to produce a patch for those issues was around 8 months -- the maximum was 765 days and the minimum 37 days.
According to Eiram, a quick glance at the vulnerability entries for last year shows that the majority of them are "fairly basic" ones like XSS (cross-site scripting), hard-coded credentials, directory traversals, and missing or improper permission checks. These are issues that a proper security development lifecycle should normally iron out, he said.
ERPScan has also identified cross-site scripting as being the type of flaw that pops up most often in SAP advisories. The company even released a guide to help administrators protect their systems against attacks exploiting such flaws.
SAP defended its security practices.
"SAP has a comprehensive product security strategy across the enterprise that rests on three pillars: 'Prevent - React -- Detect'," SAP said in an emailed statement. "An important component of this strategy is the 'Secure Software Development Lifecycle,' which provides a comprehensive framework of processes, guidelines, tools and staff training. Thus, we are able to ensure that security software is an integral component when it comes to the architecture, design and implementation of SAP solutions."
Onapsis's claim that more than 95 percent of SAP systems are exposed to vulnerabilities is false, and Onapsis is seeking to alienate SAP customers while promoting its own products, SAP said.
Regardless whether that 95 percent figure is exaggerated, the insecure SAP product deployments are only part of the problem.
SAP is more like a framework on top of which organizations build their own custom systems, said Alexander Polyakov, the CTO of ERPScan, via email. This means that SAP systems are different in every organization, and in addition to platform vulnerabilities, there are also issues in the custom programs that make up around 50 percent of SAP implementations, he said.
Those custom programs often have the same types of vulnerabilities that are commonly found in SAP products: XSS, missing authorization checks and directory traversal, according to Polyakov.
Many companies outsource the development of their custom SAP-related programs, and security is definitely not a strong point of outsourcing firms, which are typically focused on minimizing development time and costs, the ERPScan researchers said.
Sign up for CIO Asia eNewsletters.