PUBLIC
Volkmar Lotz, SAP Security Research, Mougins, France
Bridging Research and Innovationat SAP Security Research
2© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Who we are
An industrial research strategy for security
From research to innovation: an example
Collaboration
Lessons learned
3INTERNAL© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
7 Collaborativeprojects (PFP)
60+ Partners
800+ k€Funding (est.)
Sophia Antipolis / Mougins
Karlsruhe
Walldorf
SAP Security Research Facts 2018
24 Researchers
6 PhDs students
20+ Master Students
10+ Nationalities
20+ Scientificpublications
1 DistinguishedPaper Award
1 Smart SecurityWeek Award
7 IDFs
20 Patents
4th Professor in 4 years
4© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Our Mission at SAP Security Research
Scientific maturity
Product / toolmaturity of results
Explore
Research
Run
MissionBridging Scientific Research and
SAP® Product Development
The SAP Security Research organizationserves as a security thought leader atSAP, constantly transforming SAP by
improving security. We are thinking aheadand preparing the way for product security
at SAP.
Monitor
Research ObjectiveConstantly challenge given security
assumptions!
5© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Who we are
An industrial research strategy for security
From research to innovation
Collaboration
Lessons learned
6© 2019 SAP SE or an SAP affiliate company. All rights reserved.
SAP Security Research
ScientificResearch
Theoretical research,basic principles, new
Theories, newfundamental methods,
etc.
AppliedResearch
Refinement of methods(performance, etc.) andapplication of methodsto validate applicability
in SW industry
Prototyping
Universities
1) Technology readiness levels (TRL) according to EU definition (Horizon 2020)
Build prototypes to proofapplicability; blueprint
for productization
TRL 1 – basicprinciples observed
1)
ProductDevelopment
TRL 2 – technologyconcept formulated
TRL 3 –experimental proof
of concept
TRL 4 – technologyvalidated in lab
TRL 5 – technologyvalidated in relevant
environment
TRL 6 – technologydemonstrated in
relevantenvironment
TRL 7 – systemprototype
demonstrated inoperationalenvironment
TRL 8 – systemcomplete and
qualified
TRL ´9 – actualsystem proven in
operationalenvironment
Develop product andship (OnPrem) or
operate (cloud service)
SAP Security Research TransferIdentify NewConcepts
Consultation
7© 2019 SAP SE or an SAP affiliate company. All rights reserved.
SAP Security Research Strategy 2020
ZeroVulnerability
DefendableApplication
ZeroKnowledge
Machine Learning
Minimize vulnerabilitiesto ensure maximum
protection
Use security to enablenew business and
support the transitioninto a digital world.
Identify and preventattacks from within the
application
Ability to store dataencrypted in the cloud
and protect it fromoutside control
Enabler for next generation of security
Software SecurityAnalysis
Open SourceAnalysis
AppliedCryptographyAnonymization Deceptive
Application
Security asBusiness Enabler
Blockchain
Future Technology
Get into concepts andtechnologies which willchange security of the
future
QuantumTechnology
Secure IoT
8© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Research and innovations: From security now toward security tomorrow
Open Source Security Relevance: Now
TrendMarket research companies estimate that more than 80% ofthe codebase of a typical Java application is open source.
SAP Security ResearchSAP Vulnerability Discovery tool for open Source, VULAS,is contributed as Open source to accelerate open sourcesecurity
Built-in Security Relevance: Nowto 3 years
TrendHuawei plans to spend at least US$2 billion for a securesoftware redesign (bloomberg.com, Dec 07, 2018).
SAP Security ResearchBuilt-in security to harden the security of existing and futuresoftware. Tainting approach in SAP Cloud Platform as betaversion available, deceptive application as research inclose collaboration with first applications.
Privacy enables anIntelligent Enterprise
Relevance: 1 to3 years
TrendCustomer experience (CX) is at the top of the CEO agenda(Gartner, 2018).
SAP Security ResearchWorks on automated text anonymization for text mining thatpreserves the possibility of performing automated content andsentiment analysis but avoids authorship attribution; aprerequisite for experience management in an intelligententerprise.
Artificial Intelligence andMachine Learning
Relevance: Nowto 10 years
TrendAn intelligent enterprise brings together machine and humanintelligence (SAP’s product strategy, 2018).
SAP Security ResearchResearch road map for an intelligent security is availablewith first solutions using ML to discover vulnerabilities inopen source and to detect security threats from the darkWeb.
QuantumTechnology
Relevance: 5 to15 years
TrendQuantum Computing is one of the top 10 ITTrends for CIOs (Forrester, Dec. 2018).
SAP Security ResearchWithin the EU project “QIA – Quantum InternetAlliance”, Quantum Technology is used forsecure communication by physics, a preparationfor the next generation of the Internet.
9© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Chronos and Kairos – Strategy and Opportunities
Strategy Opportunities & Exploration
10© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Emerging Topics at SAP Security Research
Scientific maturity
Highinvestment
Lowinvestment
Product / Toolmaturity of results
Innovation &Research
Innovation
Exploration
New Research
ProductizationVULAS
SVM
DeceptiveApplication
Explore
Research
Run
SoftwareSecurity
AppliedCrypto
Anonymi-zation
MachineLearning
BlockchainHacks
QuantumTechnology
Open SourceSecurity
Strategy
Result
ETD
Explore
Tainting
SMASH
BlockchainSecurity
FaaSSecurity
SocialEngineering
Attacks
Security ofBots
Monitor
Diff Privacy
ML inVULAS Log learning
for ETD
IoTSecurity
IoT
11© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Who we are
An industrial research strategy for security
From research to innovation: an example
Collaboration
Lessons learned
12© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Trend – Past and new realities in the software stacks 1)
Operating System
Database
SAP NetWeaverApplication Server
SAP ERP
SAP GUI
100% from vendor,contract
100% from vendor,contract
95% from SAP
>98% from SAP
90% from SAP
1999 >95% home grown code
1) Holger Mack,Tom Schröer, SAP Product Security Summit 2019, “Security Midlife Crisis”
13© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Trend – Past and new realities in the software stacks 1)
Operating System
Database
SAP NetWeaverApplication Server
SAP ERP
SAP GUI
100% from vendor,contract
100% from vendor,contract
95% from SAP
>98% from SAP
90% from SAP
Operating System
Kubernetes, Docker,Cloud Foundry
Container OperatingSystem
Application server(Tomcat, node, ..)
Browser, JavaScript
100% “from theInternet”
100% “from theInternet”
x times“from the Internet”
90-100% “from theInternet”
100% “3rd party orInternet”
Microservice(npm, python, Java,…)
90% “from theInternet”
1999 2019>95% home grown code <5% home grown code
1) Holger Mack,Tom Schröer, SAP Product Security Summit 2019, “Security Midlife Crisis”
14© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Open SourceContribution
VAMOSSEU funded research project
Example VULAS: From research to a patented, productive andofficially recommended security scan service
v.1.0(based on SAP Hana XS1)
Vulas today:v.3.0.9760+ vulnerabilities900+ projects6800+ modules540k+ scans since2017
ICSMERSA
DKOM
SAP SecurityExperts Summit
ESORICS
Go-live v.2.0(Java micro services on Docker)
Sirius/Security Hub integrationVulas officially recommended at SAP to scan Java(after comparison w/ 3rd party commercial tools)
Added staticanalysis
Metric-based updaterecommendations
20152016
2017
2018
Vulas for Python
ICSMEDistinguishedpaper award
ESEM
Posecco2013-2015EU fundedresearchproject
15© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Who we are
An industrial research strategy for security
From research to innovation: an example
Collaboration
Lessons learned
16© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Funded projects (H2020, EIT, EID, BMBF, ANR,…)§ Currently: …
Bilateral research contracts
PhD program
Publications
Scientific community service (PC, conferences)
SAP Security Research Seminar
Collaboration
18© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Who we are
An industrial research strategy for security
From research to innovation: an example
Collaboration
Lessons learned
19© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Strategy alignment on all corporate levels needed§ Digital transformation requires secure systems§ Security as technology foundation and business enabler§ Build or buy§ Low footprint on processes: automation
Accept failure§ Can you risk to miss an opportunity?
Funding strategy determined by corporate strategy
Collaborate with strong partners: academia, research institutes, business
Key to successful proposals: clear problem statement and convincing solution idea
Lessons Learned
Volkmar Lotz
Research Strategy Lead
SAP Security Research
Sophia Antipolis, France