SAP Security & Compliance: Challenges in the Context of S/4HANA, Code Security, and the Cloud

SAST DAYSThey say that major events cast a shadow that portends their arrival. In SAP environments, this applies in particular to the transition to S/4HANA, which companies will need to make before maintenance for SAP ERP expires in 2025.

As we covered this pending migration from various perspectives at our SAST DAYS 2019 event, interest in the topics of authorizations and code security was especially high. Let’s take a look back at those exciting days, which presented a balanced mix of current challenges and assorted solutions.

Fiori and S/4HANA authorizations: brownfield or greenfield?

To kick off SAST DAYS 2019, we highlighted a subject that is likely weighing heavily on the minds of most customers who are about to migrate to S/4HANA: authorizations in Fiori environments. This detailed presentation focused on showing that the differences between ERP and S/4HANA are much larger than SAP has announced. To offer just one example, S/4HANA has around 16,000 more transactions than ECC 6.0. This and other changes should definitely be taken into account in migration projects. SAST SOLUTIONS project lead Ansgar Rümpker then demonstrated both a project procedure for greenfield approaches – that is, one involving a fresh installation of S/4HANA – and for brownfield approaches for migrating existing systems. These approaches affect authorizations in different ways, which is why there’s no universal answer as to which will work best for each individual company.

Security and compliance for SAP Cloud

The next topic was aiming at the future, and it was a big one. When it comes to the cloud, the feedback from those in attendance was clear: Many customers still want to bide their time before making the move, but prepare accordingly, as well. “The cloud is going to affect all of us at some point, so it’s all the more important that we get an early start on figuring out the ramifications in presentations like these,” one participant pointed out. The impact of SAP’s “cloud-first” strategy is already easy to see. SAP customers who want to keep their systems secure and up-to-date in the future should therefore be sure to put the cloud on their agendas. While the topics related to cloud security and compliance don’t differ significantly from those that play a role in on-premise operations, the ways in which companies approach them certainly do in some cases. Jonas Kelbert, software developer at SAST SOLUTIONS, held a presentation on this very subject.

System interfaces in cloud environments and SoD analyses in SAP Cloud apps

Meanwhile, another insight became increasingly evident as the event went on: Before moving to the cloud, you first need to safeguard your existing system. Particular attention needs to be paid to interfaces in this regard, as SAST product manager Patrick Boch emphasized in his presentation. In Boch’s experience, companies often don’t have a clear overview of the interfaces present in their current systems and the measures taken to secure them (if any!). Taking stock of these interfaces and locking them down should thus be the first steps taken on the path into the cloud. The further challenges that await in this regard were then covered by Ralf Kempf, CTO of SAST SOLUTIONS, in his presentation on identities in cloud environments. Kempf underscored how customers need to be particularly mindful of conflicts in the segregation of duties (SoD) and presented a tool-aided approach that makes it easy to maintain a corresponding overview despite the different technical services involved. Here, SAST SUITE makes it possible to keep an eye on a user’s identities across multiple systems and identify SoD conflicts in a fast, transparent manner.

A step-by-step guide to secure ABAP coding

The presentation that followed featured plenty of practical experience on the topic of code cleanup, with lead developer Stefanie Jasser reporting on a recent code cleansing project with a major German automotive supplier. With the help of an integrated framework, the SAST team not only quickly mitigated the vulnerabilities in the customer’s own ABAP code; it was also able to use contextual information from SAST SUITE to identify relevant flaws with the necessary precision. Thanks to our “soft cleansing” approach, which includes a logging phase before the changes made to productive code go live, the team even managed to clean up the code in question without affecting the customer’s ongoing operations.

SAST Managed Services for SAP security and compliance

We also have positive things to report from another customer project. In this case, a service provider for one of the largest German banks was facing the challenge of setting up a dedicated, real-time monitoring system to protect its SAP systems from potential attacks. While the customer was under tremendous pressure to meet very high security and compliance requirements, it wasn’t possible to assemble own resources to handle this type of continuous scanning. This was why the customer decided to work with akquinet – the only provider on the market that offers SAP security monitoring in real time in the form of managed services.

With all the challenges out there, SAST offers just as many solutions – and more

Those who attended SAST DAYS 2019 came away focused on the future. “Over the course of the day, we realized how much work we have in front of us,” one customer offered in summary. “That makes it all the more comforting to know that there are tailored solutions out there.”

Rald Kempf, CTO SAST SOLUTIONSRalf Kempf, CTO of SAST SOLUTIONS, also had a positive overall impression of this year’s SAST DAYS. “We’re obviously happy to have customers and contract partners who want us to help them tackle the many challenges they’ll be facing in the future,” he affirmed. “At the same time, our conversations with them have also shown that they’re not the only ones with work to do: We – along with SAP, of course – will need to do our homework, as well. With SAST SUITE and our teams of experts, we plan to remain the first place people contact when it comes to SAP security and compliance.”

Are you interested in more information on these topics? If so, have a look through the webinars we currently have on offer, or browse our webinar archive.

Are you facing similar challenges? Would you like to find out more about comprehensive protection of your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail at

SAST DAYS for SAP security and compliance: Register for 2020 now!

SAST DAYS 2020At our regular round-table discussions, our experts cover the latest developments in SAP security and compliance for both end customers and our own contract partners. We also offer insights into intriguing customer projects and a forum where participants can share their ideas and experiences. With the dates already set for 2020, you can now register on our event page.

We are looking forward to seeing you!


This might also be of interest to you:

How can I quickly migrate SAP custom code to S/4HANA?

Authorizations for batch processing in NetWeaver and S/4HANA environments.