In our experience, in far too many cases, the way companies neglect the security of their SAP system is borderline reckless. It's rare that we come across cases where the infrastructure has been properly hardened and effective authorization management is an everyday priority. That's why most threats are identified far too late.

To assess the risk exposure of your SAP landscape, we identify all the potential attack vectors.

If your company's migration to SAP HANA is right around the corner, our SAP security experts are the ideal partner for safeguarding your systems and ensuring all the necessary security settings before you start your Transition.

Benefit from our experience with successfully implemented projects and individual recommendations for action from our  SAP security experts.

Audits and penetration tests

Auditing and penetration testing for SAP system landscapes: It is well-known that SAP systems are involved in generating a major share of global economic output. The extent of damage done to IT infrastructure and companies through attacks is hardly predictable. This makes it all the more important to design SAP systems to be as resilient as possible from the beginning.

SAST CONSULTING: SAP Security & Compliance Audits
SAP security & compliance audit Our SAP security & compliance audits help you to assess the actual risk potential of your SAP landscape and identify all your potential attack vectors – from your infrastructure and the settings and parameters of your SAP systems and components to authorizations and potential SoD issues.

We can also factor in any custom developments you use, including those based on ABAP or Java. Our audits are also the ideal solution as part of a pending migration to SAP HANA or SAP S/4HANA, to safeguard your systems and take all the necessary security measures in advance.

The seamless transparency you need:

Our security and compliance audits are based on SAP’s security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001. We also guarantee systematic coverage and analysis of all the relevant check fields through the use of our own certified GRC software, the SAST SUITE.

In a final presentation, you’ll also receive a detailed breakdown of how your systems deviate from the ideal configuration, including an analysis of the underlying reasons and resulting risks for your company.

Our approach to projects at a glance:

  • Review of the mechanisms that control access to your systems
  • Security tests at the network, operating system, and database level
  • Inspection of your Internet configurations and encryption settings
  • Analysis of your critical area-specific and SAP system authorizations
  • Examination of your user authorizations and check for critical authorizations and SoD conflicts
  • Evaluation of your authorization, emergency user, and operational concepts
  • Analysis and assessment of your process controls and control organization

Get clean

It goes without saying that we can also support you in a follow-on project for system hardening and optimization, in which the security risks identified in the audit are systematically eliminated and mitigated.

Stay clean

Have you already done your homework when it comes to securing your SAP system landscape? If you have, our SAST Security Radar will help you ensure that all decisions and security-critical settings made in the project are actually retained in the future.

Do you lack the internal resources for real-time monitoring? Use our SAST Managed Service, because security is always on our radar screen.

SAST SUITE software tool for SAP Threat Detection
Penetration test “There are only two types of companies: Those that have been hacked and those that will be hacked.” This quote from a former FBI director describes the specific challenge facing IT security today: Complex cyberattacks are increasing in frequency and often remain unnoticed for far too long.

From external attacks to manipulations by internal employees, our experts can simulate various incursions to mimic common attack patterns and methods, force their way into your SAP systems, and reveal their vulnerabilities.

We base our penetration tests on BSI recommendations and our own tried-and-tested best practice scenarios. Penetration tests are differentiated between two different procedures, which can be carried out independently of one another. To achieve maximum security, however, we recommend using the following sequential method:

Level 1: Black box test without user ID from the Internet

We simulate typical attacks by external hackers, utilizing realistic attack patterns. Our experts search through publicly accessible databases and inquire with various sources to find the information they need.

The aim is to gain access to your systems as an unauthorized user and to demonstrate the ability to call functions at the operating system, database, or application layer by exploiting technical vulnerabilities.

Level 2: White box test with user ID from the Internet

We use this procedure to simulate internal manipulations. The scope of knowledge we use ranges from information that is well-known among the workforce to the detailed level of system proficiency that IT service providers might have.

We conduct our white-box tests manually to uncover the internal vulnerabilities in your databases, applications, and operating systems.

Our approach to projects at a glance:

  • Realistic attack patterns simulate external hacks and internal manipulation
  • Reveal the vulnerabilities in your SAP systems and authorizations
  • Shed light on the possible ways to access your systems
  • Assess security at the database, application, and operating system level
  • Analyze the potential time horizon and the prior knowledge available to exploit potential vulnerabilities
  • Final presentation that includes documentation of our assessment methods and tailored recommendations for your company
  • Follow-up workshop where we present the vulnerabilities we’ve found and explain the specific risks your company faces

Before you subject your SAP systems to the real stresses of our penetration testing, we recommend scheduling one of our SAP security & compliance audits. It gives you full transparency of the risk potential in your system landscape.

Do you want to be able to monitor the attacks involved in the penetration tests in real time and stay on top of the situation in the event of actual future attacks? Our SAST Security Radar gives you 360° real-time monitoring of your entire SAP system landscape and can be fully integrated with established SIEM solutions such as QRadar, Splunk, ArcSight, and others.

SAP penetration tests with the SAST consultants
Web Application Security Assessment Web applications often open the flood gates to attackers, enabling them to penetrate IT systems and steal valuable enterprise information. They can gain easy access through vulnerabilities in the applications or in the platform where they run. In addition, the complexity and flexibility of SAP software often result in massive security vulnerabilities.

This is why all system components and data have to be protected. We will be happy to support you in identifying these security risks.

Our service for optimizing the security of SAP web applications includes the following measures:

  • Current inventory of all applications used
  • Analysis of the application software
  • Configuration and review of authentication and authorization

In addition, support components such as SAProuter, web dispatcher, reverse proxies, and the firewall are examined, to ensure secure configuration.

Protection and hardening

Protection and hardening of SAP systems and interfaces: To improve your SAP security, we can provide you with a detailed list of measures you should take, ideally building on the recommendations we make after a corresponding audit. If you wish, we can also support you with eliminating all the vulnerabilities we find and advise you on securing your systems for the long term.

SAP RFC and Gateway: analysis and hardening Due to the high sensitivity of business data and potential paths to a system through insecure gateways, the security of interface communication must always be given a high priority. However, SAP’s standard software doesn’t provide a comprehensive, centralized means of analyzing the RFC interfaces in your systems.

As a result, its protection is often neglected. Instead, technical users are granted extensive authorizations and trusted relationships between systems are rarely documented. During a clean-up project, we identify these vulnerabilities and eliminate them permanently.

An RFC interface analysis lets you document all RFC interfaces in an SAP system landscape (active and passive), identify potential vulnerabilities, and find out how to protect against them. This approach focuses on the following interfaces and connections:

  • System interfaces between SAP and non-SAP systems
  • RFC interfaces
  • Trusted relationships
  • Remote database connections

In an SAP Gateway protection project, we offer you a customer-specific analysis of your communications links, an assessment of in-place protective measures, create effective access control files, and support you in going live with the secured configuration. After our treatment, your systems and data will be much better protected, enabling you to concentrate entirely on your daily operations.

SAP HANA DB authorization concepts With SAP S/4HANA and the SAP Fiori launchpad, SAP provides a technology that enables data access through an SAP application server and even native access that bypasses the application servers. Direct, native access to the SAP HANA database is becoming increasingly relevant, not least because it increases processing speed.

SoD risks and the assignment of critical authorizations are already significant factors within the SAP system. These items are at the top of any auditor’s agenda. As the SAP HANA database continues to increase in importance and its user numbers continue to climb, the relevance of access control through accesses and privileges is also growing. Safeguards in the SAP application are insufficient when the application server can be bypassed.

Protect your data and the availability of the SAP HANA database by developing a concept for user administration and authorization management and then implementing it consistently. We will be happy to support you with our expertise in producing a document that defines standards and principles for granting privileges in the SAP HANA database. An authorization concept for the SAP HANA DB is needed to ensure the appropriate level of security for the communication and data involved in running an SAP HANA database system.

We’ll be happy to assist you with its design and implementation.

SAST Managed Services: SAP Security & Compliance - make or buy?!
SAP security concept Security policies are essential to defining the basic standards that guarantee SAP security. The internal control system also requires security concepts. These two reasons make it necessary for every enterprise to define policies and keep them up to date. An SAP security concept can help with this.

Our SAP security concepts contain binding specifications on all aspects of security in your SAP ERP and SAP S/4HANA systems – at the operating level and for all the internal and external parties involved. In addition to our own experiences as SAP security experts, we of course follow the recommendations of SAP, DSAG (the German SAP User’s Group), and the BSI. We’ll be happy to assist you with designing and implementing a comprehensive security concept.

The following aspects are described within this SAP security concept:

Determining the protection requirements of the SAP systems

In this process, we assign your SAP systems to protection requirement classes, under consideration of the master data and transaction data they contain, as well as their parameters as development, quality assurance, and production systems.

Defining the customer security policy and an audit plan

In this step, we work with you to define your individual security policy and create a periodic audit plan that contains risk responsibilities and implementation requirements for the areas of operating platform (operating system, database, network), application server platform, and application server users and authorizations.

SAST SUITE software tool for an easy SAP password reset
SAP SNC implementation Under the name Secure Network Communication (SNC), SAP offers a network protection interface that enables users to log on to SAP systems without having to enter a user name or password. In the standard system, SAP data is transmitted as clear text. Thanks to the additional features of an SNC interface, however, file paths can be encrypted to enable secure logon for an SAP system.

During an SAP SNC implementation project, we analyze your existing SAP system landscape and support you with the introduction of cost-neutral network encryption based on Kerberos (native), SAP Client Encryption, or third-party encryption – including going-live support.

As such, we can help you implement SNC without major effort or expense.

For more information, read our SAST BLOG post SNC encryption made easy: SAP security even without SSO

SAST SUITE software tool to protect SAP systems from unwanted downloads
SAP data loss prevention and detection Do you already use data loss detection to protect your SAP applications? Increasingly simple methods for data theft are making it more and more complex to achieve data privacy and data security. Our data loss prevention solutions support you with safeguarding your SAP systems proactively and protecting your data.

Before deploying a software tool for monitoring data downloads, we recommend defining a monitoring strategy and potential approaches to risk handling.

Step 1: Definition and safeguarding of data worth protecting

Our services at a glance:

  • Data classification: We work with you to determine what data is present in a system and assign it to different protection classes based on your specific requirements.
  • Access authorization: We work with you to define a concept for access protection. In line with GDPR demands, data access rights are kept to the bare minimum possible and restricted in the SAP standard.
  • Download authorization: Like access authorizations, download authorizations can also be restricted in the SAP standard. Here, as well, our experts help you with conceptualizing and implementing download authorizations. 

Step 2: Identify and analyze unusual downloads

The SAST SUITE lets you monitor downloads from your SAP systems and gives you the big picture as to who has downloaded which data and from which sources. Sensitive data, accesses, and downloads are identified and safeguarded by the system as effectively as possible. Violations of the rules you have defined can be monitored with software support, assessed, and met with the appropriate countermeasures.

SAST SUITE software functions at a glance:

  • Automatic monitoring of downloads: Our software automatically monitors downloads of sensitive data from your SAP system. This gives you an effective tool for protecting your company against industrial espionage and GDPR violations.
  • Logging of data extracts using the SAP GUI and Office features: The SAST SUITE logs all data extracts by the SAP GUI and Office features, as well as outgoing e-mails, including size and recipient. To do so, information from the Security Audit Log is analyzed. Logging is implemented to minimize obstacles to users.
  • Note on download logging before downloads: Before downloading critical data, your users can be notified of download logging in a dialog box. This makes it possible for you to cancel unwanted downloads and track down unauthorized downloads user-specifically.

Our specialists in data loss prevention and data loss detection will be happy to support you with identifying your sensitive data, classifying it, and giving it optimal protection from the start through access authorizations and standard SAP tools.

Source code analysis and cleansing The number of custom developments and third-party add-ons in SAP systems is continually on the rise. In our experience, however, the quality of the coding is usually insufficient when it comes to security, making it an increasingly attractive attack vector.

Manual source code analyses are extremely time-consuming and cleansing requires specialist expertise.

Step 1: Vulnerability analysis

Our experts use standard SAP tools that we have enhanced with our own, proprietary security rules. You can use the SAST Code Vulnerability Analysis to examine ABAP code directly in your SAP systems. Combine this with our tried and tested recommendations and you have a perfect basis for addressing identified risks incrementally.

Step 2: Vulnerability cleansing

Our security experts support you with eliminating vulnerabilities and building up internal knowledge for the ongoing avoidance of risk at your company. To do so, we use a proven method for handling code scan results that is officially recognized by business auditors. Your benefits: Reduce the effort required for necessary code adjustments by up to 90 percent, for example, by including context information. Technical and organizational measures make it possible to reduce the number of necessary changes even further.

You can use finding lists from any scanners, making you fully independent of any previously used code analysis tool.

Our approach to projects at a glance:

  • Initial workshop: Take inventory, explanation of the processes, customer-specific prioritization of risks, definition of the project scope and project roles
  • Activation of the SAST code scan
  • individual coordination of cleansing solution with your protection requirements
  • Optional: Training your developers to avoid code risks in the long term

SAP HANA and SAP S/4HANA migration

Ready for the digital future with SAP HANA and SAP S/4HANA: Every company faces a migration to SAP S/4HANA in the foreseeable future. To use this new platform at all, however, you need to migrate your database to SAP HANA. Thanks to a technical check in advance and structured security planning, your systems get ready for the digital future.

SAP S/4HANA Readiness Check The new generation of ERP business suites is based completely on the SAP HANA in-memory platform, which features real-time analyses as a major advantage. The conversion of the systems is complex, however, and presents a number of challenges. Many ERP systems lack the technical prerequisites for conversion to SAP S/4HANA.

Good preparation of this technical system migration is one of the key success factors of the transition process.

Are you planning your SAP S/4HANA migration? We can help your organization and your systems with optimal preparations. To determine whether you meet the technical requirements for a migration to SAP S/4HANA, we conduct an extensive security check at the operating platform level for SAP HANA on Linux. We then develop an action plan and support you with carrying out the steps we recommend.

SAST Consulting: Best possible protection for SAP systems
SAP HANA migration When it comes time to migrate their SAP systems to SAP HANA, many managers face the task of updating their current foundations – the database. After all, the success and productivity of most user enterprises are fundamentally dependent on the security and availability of their dataset.

Projects like this not only take a lot of time, but also lots of experience and authority. Many IT departments struggle to achieve this on their own. We support you with our sound expertise and ensure that your database migration to SAP HANA runs smoothly and securely.

Our project methodology:

To protect the target platform according to the latest security recommendations from the start, we initially conduct a security audit of the target platform. In the first step, this includes a fundamental analysis of the security settings needed to run the new SAP HANA platform for the following areas:

  • Operating system (UNIX)
  • Database (SAP HANA configuration and SAP HANA authorizations)
  • Network (architecture and SAP interfaces)
  • SAP Application Server

All audit activities reflect the security recommendations of the DSAG Audit Guide 2.0 and SAP security guidelines. All identified vulnerabilities are documented and can be eliminated directly. This means you harden the target system before migrating your data – either on your own or with our assistance.

From this point, differentiated compliance checks with a special focus on your authorizations provide a documented security analysis of your new system. You will, of course, receive all the results in a full report directly from our experts.

With SAST SUITE software, we can carry out all necessary security checks completely. All the same, we will be happy to support you no matter what solution you choose.

Alle Prüfhandlungen berücksichtigen die Sicherheitsempfehlungen nach dem DSAG-Prüfleitfaden 2.0 sowie der SAP Security Guideline. Die so ermittelten Schwachstellen werden dokumentiert und können unmittelbar beseitigt werden. Somit härten Sie das Zielsystem, bevor Sie auf eigene Faust oder mit unserer Hilfe Ihre Daten im Anschluss migrieren.

Abschließend sorgen differenzierte Compliance-Prüfungen, mit besonderem Augenmerk auch auf Ihre Berechtigungen, für eine dokumentierte Sicherheitsanalyse Ihres neuen Systems. Selbstverständlich erhalten Sie alle Ergebnisse in einem Gesamtbericht direkt von unseren Experten.

Mit unserer Software SAST SUITE können wir alle erforderlichen Sicherheitsprüfungen vollumfänglich durchführen. Gerne begleiten wir Sie aber auch unabhängig der eingesetzten Lösung.

Monitoring and controlling

SAP security monitoring: Once you have raised the security of your SAP systems to a safe level, you of course want to maintain this status in the long term. This makes it essential to establish extensive SAP security monitoring, because it is the only way to make sure that your systems will remain protected against unauthorized access well into the future.

Real-time monitoring of SAP systems Detecting attacks based on log files and analyzing network traffic requires in-depth knowledge of the potential paths and patterns such incursions can follow. Intelligent information management is necessary in order to assess security data of this kind. Events relevant to security have to be filtered out of a sea of data and placed in the proper context.

A security monitoring strategy, coupled with integration of a comprehensive SIEM tool, makes this possible. Our security dashboard shows you all security-relevant incidents in your SAP system landscape at a glance, enabling you to identify risks and implement countermeasures in real time.

We will be happy to work with you to develop an individual security monitoring concept for your system landscape, to establish centralized, real-time monitoring and a comprehensive risk management system.

Do you need support?

Our SAP security experts will find the right solutions for you.

"From the experience of our security reviews we know: every system is vulnerable. It is only a question of how difficult it is and how long it takes. Using the right concept, the probability of a successful attack can be significantly reduced."
Florian Wunder, COO SAST SOLUTIONS
— Florian Wunder
COO SAST SOLUTIONS
"Many companies focus on only the most important SAP systems in the context of IT security. We recommend analyzing your entire system landscape: This ensures that vulnerabilities are cleaned up and allows for excellent synergies."
Steffen Maltig, Head of SAP Consulting, SAST SOLUTIONS
— Steffen Maltig
Head of SAST CONSULTING

Further SAST CONSULTING Services

Privacy settings

Click »Info« to see a list of the used cookies. You can give your consent to the required cookies or statistic cookies. The selection is optional. You can change these settings or delete the cookies in the browser at any time. If you select the »Statistics« option, your opt-in consent also extends to processing in the USA, which is considered by the European Court of Justice as a country with an insufficient level of data protection. Please find further information in our privacy statement.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group external media
Name YEXT -Search
Technical name yext
Provider Yext GmbH
Expire in days 0
Privacy policy https://www.yext.de/privacy-policy/
Use Enables intelligent search via YEXT.
Allowed
Group statistics
Name Google Repcatcha
Technical name googleRepcatcha
Provider Google LLC
Expire in days 0
Privacy policy https://policies.google.com/privacy
Use Protect from spam.
Allowed
Name Google Maps
Technical name googleMaps
Provider
Expire in days 6491
Privacy policy
Use Enables the use of Google Maps.
Allowed
Name ClickDimensions
Technical name cuvid,cusid,cuvon,cd_optout_accountkey
Provider ClickDimensions
Expire in days 730
Privacy policy https://clickdimensions.com/solutions-security-and-privacy/
Use Cookie from ClickDimensions for website analysis. Generates anonymous statistical information about how the visitor uses the site.
Allowed
Name YouTube
Technical name youTube
Provider
Expire in days 0
Privacy policy
Use Enables the use of the Youtube video player.
Allowed
Name Google Analytics
Technical name _gid,_ga,1P_JAR,ANID,NID,CONSENT,_ga_JT5V6CR8ZH,_gat_gtag_UA_133169400_1,_gat_gtag_UA_141664271_1,_gat_gtag_UA_127185455_1,_gat_gtag_UA_127561508_1,_gat_gtag_UA_194226577_1
Provider Google LLC
Expire in days 730
Privacy policy https://policies.google.com/privacy
Use Cookie by Google for website analysis. Generates anonymous statistical data about how the visitor uses the website.
Allowed
Group essential
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Provider
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Allowed
Name Contao HTTPS CSRF Token
Technical name csrf_https-contao_csrf_token
Provider
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Allowed
Name PHP SESSION ID
Technical name PHPSESSID
Provider
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Allowed
Name FE USER AUTH
Technical name FE_USER_AUTH
Provider
Expire in days 0
Privacy policy
Use Saves information of a visitor as soon as he logs in to the frontend.
Allowed
Copyright akquinet enterprise solutions GmbH. All Rights Reserved.