SAP Security Consulting

We can also factor in any custom developments you use, including those based on ABAP or Java. Our audits are also the ideal solution as part of a pending migration to SAP HANA or SAP S/4HANA, to safeguard your systems and take all the necessary security measures in advance.

The seamless transparency you need:

Our security and compliance audits are based on SAP’s security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001. We also guarantee systematic coverage and analysis of all the relevant check fields through the use of our own certified GRC software, the SAST SUITE.

In a final presentation, you’ll also receive a detailed breakdown of how your systems deviate from the ideal configuration, including an analysis of the underlying reasons and resulting risks for your company.

Our approach to projects at a glance:

• Review of the mechanisms that control access to your systems
• Security tests at the network, operating system, and database level
• Inspection of your Internet configurations and encryption settings
• Analysis of your critical area-specific and SAP system authorizations
• Examination of your user authorizations and check for critical authorizations and SoD conflicts
• Evaluation of your authorization, emergency user, and operational concepts
• Analysis and assessment of your process controls and control organization

Get clean

It goes without saying that we can also support you in a follow-on project for system hardening and optimization, in which the security risks identified in the audit are systematically eliminated and mitigated.

Stay clean

Have you already done your homework when it comes to securing your SAP system landscape? If you have, our SAST Security Radar will help you ensure that all decisions and security-critical settings made in the project are actually retained in the future.

Do you lack the internal resources for real-time monitoring? Use our SAST Managed Service, because security is always on our radar screen.

From external attacks to manipulations by internal employees, our experts can simulate various incursions to mimic common attack patterns and methods, force their way into your SAP systems, and reveal their vulnerabilities.

We base our penetration tests on BSI recommendations and our own tried-and-tested best practice scenarios. Penetration tests are differentiated between two different procedures, which can be carried out independently of one another. To achieve maximum security, however, we recommend using the following sequential method:

Level 1: Black box test without user ID from the Internet

We simulate typical attacks by external hackers, utilizing realistic attack patterns. Our experts search through publicly accessible databases and inquire with various sources to find the information they need.

The aim is to gain access to your systems as an unauthorized user and to demonstrate the ability to call functions at the operating system, database, or application layer by exploiting technical vulnerabilities.

Level 2: White box test with user ID from the Internet

We use this procedure to simulate internal manipulations. The scope of knowledge we use ranges from information that is well-known among the workforce to the detailed level of system proficiency that IT service providers might have.

We conduct our white-box tests manually to uncover the internal vulnerabilities in your databases, applications, and operating systems.

Our approach to projects at a glance:

• Realistic attack patterns simulate external hacks and internal manipulation
• Reveal the vulnerabilities in your SAP systems and authorizations
• Shed light on the possible ways to access your systems
• Assess security at the database, application, and operating system level
• Analyze the potential time horizon and the prior knowledge available to exploit potential vulnerabilities
• Final presentation that includes documentation of our assessment methods and tailored recommendations for your company
• Follow-up workshop where we present the vulnerabilities we’ve found and explain the specific risks your company faces

Before you subject your SAP systems to the real stresses of our penetration testing, we recommend scheduling one of our SAP security & compliance audits. It gives you full transparency of the risk potential in your system landscape.

Do you want to be able to monitor the attacks involved in the penetration tests in real time and stay on top of the situation in the event of actual future attacks? Our SAST Security Radar gives you 360° real-time monitoring of your entire SAP system landscape and can be fully integrated with established SIEM solutions such as QRadar, Splunk, ArcSight, and others.

This is why all system components and data have to be protected. We will be happy to support you in identifying these security risks.

Our service for optimizing the security of SAP web applications includes the following measures:

• Current inventory of all applications used
• Analysis of the application software
• Configuration and review of authentication and authorization

In addition, support components such as SAProuter, web dispatcher, reverse proxies, and the firewall are examined, to ensure secure configuration.

As a result, its protection is often neglected. Instead, technical users are granted extensive authorizations and trusted relationships between systems are rarely documented. During a clean-up project, we identify these vulnerabilities and eliminate them permanently.

An RFC interface analysis lets you document all RFC interfaces in an SAP system landscape (active and passive), identify potential vulnerabilities, and find out how to protect against them. This approach focuses on the following interfaces and connections:

• System interfaces between SAP and non-SAP systems
• RFC interfaces
• Trusted relationships
• Remote database connections

In an SAP Gateway protection project, we offer you a customer-specific analysis of your communications links, an assessment of in-place protective measures, create effective access control files, and support you in going live with the secured configuration. After our treatment, your systems and data will be much better protected, enabling you to concentrate entirely on your daily operations.

SoD risks and the assignment of critical authorizations are already significant factors within the SAP system. These items are at the top of any auditor’s agenda. As the SAP HANA database continues to increase in importance and its user numbers continue to climb, the relevance of access control through accesses and privileges is also growing. Safeguards in the SAP application are insufficient when the application server can be bypassed.

Protect your data and the availability of the SAP HANA database by developing a concept for user administration and authorization management and then implementing it consistently. We will be happy to support you with our expertise in producing a document that defines standards and principles for granting privileges in the SAP HANA database. An authorization concept for the SAP HANA DB is needed to ensure the appropriate level of security for the communication and data involved in running an SAP HANA database system.

We’ll be happy to assist you with its design and implementation.

Our SAP security concepts contain binding specifications on all aspects of security in your SAP ERP and SAP S/4HANA systems – at the operating level and for all the internal and external parties involved. In addition to our own experiences as SAP security experts, we of course follow the recommendations of SAP, DSAG (the German SAP User’s Group), and the BSI. We’ll be happy to assist you with designing and implementing a comprehensive security concept.

The following aspects are described within this SAP security concept:

Determining the protection requirements of the SAP systems

In this process, we assign your SAP systems to protection requirement classes, under consideration of the master data and transaction data they contain, as well as their parameters as development, quality assurance, and production systems.

Defining the customer security policy and an audit plan

In this step, we work with you to define your individual security policy and create a periodic audit plan that contains risk responsibilities and implementation requirements for the areas of operating platform (operating system, database, network), application server platform, and application server users and authorizations.

During an SAP SNC implementation project, we analyze your existing SAP system landscape and support you with the introduction of cost-neutral network encryption based on Kerberos (native), SAP Client Encryption, or third-party encryption – including going-live support.

As such, we can help you implement SNC without major effort or expense.

For more information, read our SAST BLOG post “SNC encryption made easy: SAP security even without SSO”

Before deploying a software tool for monitoring data downloads, we recommend defining a monitoring strategy and potential approaches to risk handling.

Step 1: Definition and safeguarding of data worth protecting

Our services at a glance:

• Data classification: We work with you to determine what data is present in a system and assign it to different protection classes based on your specific requirements.

• Access authorization: We work with you to define a concept for access protection. In line with GDPR demands, data access rights are kept to the bare minimum possible and restricted in the SAP standard.

• Download authorization: Like access authorizations, download authorizations can also be restricted in the SAP standard. Here, as well, our experts help you with conceptualizing and implementing download authorizations. 

Step 2: Identify and analyze unusual downloads

The SAST SUITE lets you monitor downloads from your SAP systems and gives you the big picture as to who has downloaded which data and from which sources. Sensitive data, accesses, and downloads are identified and safeguarded by the system as effectively as possible. Violations of the rules you have defined can be monitored with software support, assessed, and met with the appropriate countermeasures.

SAST SUITE software functions at a glance:

• Automatic monitoring of downloads: Our software automatically monitors downloads of sensitive data from your SAP system. This gives you an effective tool for protecting your company against industrial espionage and GDPR violations.

• Logging of data extracts using the SAP GUI and Office features: The SAST SUITE logs all data extracts by the SAP GUI and Office features, as well as outgoing e-mails, including size and recipient. To do so, information from the Security Audit Log is analyzed. Logging is implemented to minimize obstacles to users.

• Note on download logging before downloads: Before downloading critical data, your users can be notified of download logging in a dialog box. This makes it possible for you to cancel unwanted downloads and track down unauthorized downloads user-specifically.

Our specialists in data loss prevention and data loss detection will be happy to support you with identifying your sensitive data, classifying it, and giving it optimal protection from the start through access authorizations and standard SAP tools.

Manual source code analyses are extremely time-consuming and cleansing requires specialist expertise.

Step 1: Vulnerability analysis

Our experts use standard SAP tools that we have enhanced with our own, proprietary security rules. You can use the SAST Code Vulnerability Analysis to examine ABAP code directly in your SAP systems. Combine this with our tried and tested recommendations and you have a perfect basis for addressing identified risks incrementally.

Step 2: Vulnerability cleansing

Our security experts support you with eliminating vulnerabilities and building up internal knowledge for the ongoing avoidance of risk at your company. To do so, we use a proven method for handling code scan results that is officially recognized by business auditors. Your benefits: Reduce the effort required for necessary code adjustments by up to 90 percent, for example, by including context information. Technical and organizational measures make it possible to reduce the number of necessary changes even further.

You can use finding lists from any scanners, making you fully independent of any previously used code analysis tool.

Our approach to projects at a glance:

• Initial workshop: Take inventory, explanation of the processes, customer-specific prioritization of risks, definition of the project scope and project roles

• Activation of the SAST code scan

• individual coordination of cleansing solution with your protection requirements

• Optional: Training your developers to avoid code risks in the long term

Good preparation of this technical system migration is one of the key success factors of the transition process.

Are you planning your SAP S/4HANA migration? We can help your organization and your systems with optimal preparations. To determine whether you meet the technical requirements for a migration to SAP S/4HANA, we conduct an extensive security check at the operating platform level for SAP HANA on Linux. We then develop an action plan and support you with carrying out the steps we recommend.

Projects like this not only take a lot of time, but also lots of experience and authority. Many IT departments struggle to achieve this on their own. We support you with our sound expertise and ensure that your database migration to SAP HANA runs smoothly and securely.

Our project methodology:

To protect the target platform according to the latest security recommendations from the start, we initially conduct a security audit of the target platform. In the first step, this includes a fundamental analysis of the security settings needed to run the new SAP HANA platform for the following areas:

• Operating system (UNIX)
• Database (SAP HANA configuration and SAP HANA authorizations)
• Network (architecture and SAP interfaces)
• SAP Application Server

All audit activities reflect the security recommendations of the DSAG Audit Guide 2.0 and SAP security guidelines. All identified vulnerabilities are documented and can be eliminated directly. This means you harden the target system before migrating your data – either on your own or with our assistance.

From this point, differentiated compliance checks with a special focus on your authorizations provide a documented security analysis of your new system. You will, of course, receive all the results in a full report directly from our experts.

With SAST SUITE software, we can carry out all necessary security checks completely. All the same, we will be happy to support you no matter what solution you choose.

Alle Prüfhandlungen berücksichtigen die Sicherheitsempfehlungen nach dem DSAG-Prüfleitfaden 2.0 sowie der SAP Security Guideline. Die so ermittelten Schwachstellen werden dokumentiert und können unmittelbar beseitigt werden. Somit härten Sie das Zielsystem, bevor Sie auf eigene Faust oder mit unserer Hilfe Ihre Daten im Anschluss migrieren.

Abschließend sorgen differenzierte Compliance-Prüfungen, mit besonderem Augenmerk auch auf Ihre Berechtigungen, für eine dokumentierte Sicherheitsanalyse Ihres neuen Systems. Selbstverständlich erhalten Sie alle Ergebnisse in einem Gesamtbericht direkt von unseren Experten.

Mit unserer Software SAST SUITE können wir alle erforderlichen Sicherheitsprüfungen vollumfänglich durchführen. Gerne begleiten wir Sie aber auch unabhängig der eingesetzten Lösung.