SAP Security: five ways to make sure you’ll be hacked

Hacker attacks threaten SAP security: All alarmist nonsense?(A guide of the less serious sort.)
Let’s be honest right off the bat: There’s a lot of hype in the media about IT security in general and SAP security in special these days. But is there really anything behind it? Those headlines about millions of data records going missing always affect someone else – whether it’s Equifax across the pond or the big tech companies that have been infiltrated by organized groups of Chinese hackers. It’s all alarmist nonsense!

SAP systems aren’t vulnerable to hacking…right?

Don’t believe me? There are individual hackers out there, of course, but they’re mostly just kids with too much time on their hands. All they want is to have a little fun; they’re definitely not interested in SAP systems. Besides causing you unnecessary stress, efforts to protect SAP systems are a waste of resources, and they don’t even work in the end. To see for yourself, simply read on.

1. Securing SAP Gateway

Why would you ever need to safeguard SAP Gateway? Of course, anyone could theoretically break into your SAP systems under certain circumstances, even without a user and password. The probability of that happening is pretty low, though. After all, you don’t see very many external consultants in the world of SAP, and you can obviously count on your own employees. And insider attacks? More unsubstantiated hype. What could possibly happen there? Even if your production system grinds to a halt and you have to start handling all your business processes manually, what’s the big deal? It worked well enough 50 years ago!

2. Hardening SAP systems and applications

Software companies have put a good deal of thought into programming their systems. Whether it’s an OS, a network, or a database, you can rest easy knowing that there’s not a single error to be found in all those millions of lines of code. Meanwhile, your own developers are clearly beyond reproach; they know what secure and correct programming requires. And your administrators – who, let’s face it, only ever have to fix printer problems as it is – will have an even easier job. Why else do we have manuals and wizards to help us configure the right settings? It’s practically idiot-proof. Making an extra effort to secure such things just takes up resources without offering any benefits.

3. Setting SAP authorizations correctly

Security isn’t the only thing you’ll hear experts and the media going on and on about. “Compliance” is another empty buzzword. What’s so inappropriate about allowing an employee to both create a vendor and pay invoices without any limit checks on the amounts involved? It actually saves a lot of time and effort when you grant full authorizations to all your employees. Besides, it takes a real expert to bring down an entire SAP system using an SAP_ALL profile. Your systems aren’t a likely target for attacks anyway. Who wants to steal sensitive data from a small business? Nefarious insiders looking to gather important information before changing jobs? Fairy tales! There must be some other reason why your main competitor has been reacting so quickly to your pricing changes ever since your head of sales switched sides…

4. Setting up real-time monitoring for SAP security

Do you have an e-recruiting portal that’s visited by thousands of users every day? Of course you do, and of course it’s directly connected to the SAP system that houses your most critical data.  And now they’re trying to tell you there are bots that automatically search for common vulnerabilities and can attempt countless user-password combinations per second? Sounds like pure fiction. Why would you invest money in an SIEM system that only produces an incredible amount of data no one can even begin to sort through? Filters, correlations among unusual activities, signs of targeted attacks – these are just more buzzwords the developers have come up with to scare people. As if that weren’t enough, you supposedly need to have someone who’s always on alert. In the unlikely event that an attacker makes it past your IT security infrastructure, he or she will have to find another opening in your SAP system or another application, but your admins are sure to notice right away. They’ve got nothing but time, after all, and a printer on the fritz can wait a few minutes.

5. Installing security updates

All right, maybe not every software manufacturer is infallible. When a security flaw does come to light, however, there’s no need to rush to install the fix. No hacker in the world is fast enough to devise an exploit just two weeks after a patch is released. This is particularly true of SAP systems, where even the most pernicious hacker is sympathetic to the fact that your system controls your production and can’t simply be restarted. Plus, all the manual steps involved in installing patches take a whole lot of time – and time is money, as they say. At the same time, you reckon the risk of losing a few million here or there due to production downtime is just the cost of doing business.

SAP security and compliance: Achieve comprehensive security and safeguard your systems against attacks

After reading these five arguments, you still aren’t convinced? Good! As you’ve probably figured out by now, that wasn’t really the idea. Quite the opposite, in fact: With a new cyberattack or loss of data making headlines nearly every week, IT security is playing an increasingly important role. The points outlined above reflect just a few of the subjects you should start prioritizing more in your corresponding strategy (if you aren’t already). In particular, SAP systems – which most companies use to store their most sensitive and important data – require comprehensive protection. This is exactly what SAST SUITE and our team of SAST consultants offer: extensive hardening of your SAP system landscape in real time, along with expertise that meets your specific needs.

Interested in finding out how they pull this off? Check out our SAST SOLUTIONS website or send an e-mail to

Patrick Boch, Product Manager SAST SOLUTIONS


More articles for your SAP security and compliance:

SAP Security & Compliance: “Customers need Solution Providers.”

SAP Security and Hosting: Hacking 40 SAP Systems in One Fell Swoop