In our experience, in far too many cases, the way companies neglect the security of their SAP system is borderline reckless. It's rare that we come across cases where the infrastructure has been properly hardened and effective authorization management is an everyday priority. That's why most threats are identified far too late.
To assess the risk exposure of your SAP landscape, we identify all the potential attack vectors.
If your company's migration to SAP HANA is right around the corner, our SAP security experts are the ideal partner for safeguarding your systems and ensuring all the necessary security settings before you start your Transition.
Our audits are designed to help you determine your SAP landscape's actual risk exposure and pinpoint areas that are open to potential attacks. They include everything from your infrastructure and SAP system parameters to individual component configurations and authorizations. We can also factor in any custom developments you use, including those based on ABAP or Java.
If your company's migration to SAP HANA or S/4HANA is right around the corner, our audits offer an ideal solution for safeguarding your systems and taking all the necessary security measures before you start your transition.
The seamless transparency you need
Our security and compliance audits are based on SAP's security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001. We also guarantee systematic coverage and analysis of all the relevant check fields through the use of our own certified GRC software, SAST SUITE.
In a final presentation, you'll also receive a detailed breakdown of how your systems deviate from the ideal configuration, along with an analysis of the underlying reasons and resulting risks for your company.
Our project approach at a glance:
- Review of the mechanisms that control access to your systems
- Security tests at the network, operating system, and database Level
- Examination of your standard users' authorizations and the parameters of your SAP systems
- Inspection of your Internet configurations and encryption Settings
- Analysis of your critical area-specific and SAP system authorizations
- Review of your SAP privileges with a focus on critical authorizations and SoD conflicts
- Evaluation of your authorization, emergency user, and operational concepts
- Analysis and assessment of your process controls and corresponding organization
Whether it's external hacking attempts or manipulation from within, our experts can force their way into your SAP systems to simulate various attacks and test the limits of their defenses. This is one of the ways we identify the last remaining technical and system-internal vulnerabilities and entry points.
These pen tests are based on the recommendations from the German Federal Office for Information Security (BSI) and our own proven best-practice scenarios.
In this first step, we use realistic attack patterns to simulate the typical attempts made by external hackers. Our experts search through publicly accessible databases and inquire with various sources to find the information they need.
The goal is to gain access to your systems without an authenticated user, which involves exploiting technical flaws to execute functions at the database, application, and operating system level.
The second step focuses on simulating internal incursions. Here, the detailed knowledge ranges from the skills of the broad workforce to the in-depth system expertise possessed of how IT service providers can acquire.
We conduct our white-box tests manually to uncover the internal weaknesses in your databases, applications, and operating systems.
Our project approach at a glance
- Realistic attack patterns simulate external hacks and internal manipulations
- Reveal the vulnerabilities in your SAP systems and authorizations
- Shed light on the possible ways to access your systems
- Assess security at the database, application, and operating system level
- Analysis of the prior knowledge and time horizon required to exploit your security
- A final presentation that includes documentation of our assessment methods, and tailored recommendations for your company
- Follow-up workshop where we present the vulnerabilities we've found and explain the specific risks your company faces
Before you subject your SAP systems to the real stresses of our penetration testing, we recommend scheduling our SAP security and compliance audit. This will give you complete transparency regarding the potential risks to your landscape.
To improve your SAP security, we can provide you with a detailed list of measures you should take. Ideally, these will build on the recommendations we make following a corresponding audit. If you wish, we can also aid you in eliminating all the vulnerabilities we find and advise you on securing your systems for the long term.
SAP's standard software doesn't include a comprehensive, centralized means of analyzing the RFC interfaces in your systems. As a result, companies often fail to secure these interfaces properly, technical users are provided with too far-reaching privileges and the trust relationships between systems are rarely documented. In addition, remote database connections can lead to uncontrolled security vulnerabilities.
We know how to find these holes and close them for good.
Our security concepts include guidelines for all the security-related aspects of your SAP ERP and S/4HANA systems. In addition to being based on the recommendations of SAP, DSAG, and BSI, they are mandatory for both the operational level and all the internal and external parties involved.
The number of custom developments and third-party add-ons in SAP systems are continually on the rise. In our experience, however, the quality of the code regarding to its security is not typically high enough and so ABAP coding is increasingly coming into focus as a possible point of attack. Manual source code analyses are, on the other hand, extremely time-consuming and the cleanup requires highly specialized know-how.
Step 1: The vulnerability analysis
Our experts work tool-based with SAP standard tools, extended by proprietary developed security rules. Using SAST Code Vulnerability Analysis, we examine ABAP coding directly in your SAP systems. Together with our proven recommendations for action, you have a perfect basis for the step-by-step elimination of identified risks.
Step 2: Fixing the vulnerabilities
Our security experts support you in closing security gaps and building up knowledge for sustainable risk prevention in your company. We rely on a proven procedure for handling code scan results which also has been approved by auditors. Your advantage: A reduction of the cleansing effort by up to 90%, for example due to the inclusion of context information. Technical-organizational measures allow to even further reduce the number of necessary changes.
You can work with finding-lists of any scanner and are therefore independent of previously used code analysis tools.
Our project approach at a glance
- Initial workshop: Evaluation of the current situation, explanation of the processes, customer-specific prioritization of risks, determination of the project scope and roles
- Activating the SAST Code Scans
- Individual adjustment of the cleaning solution to your protection requirements
- Safe Go-Live with our soft cleansing approach
- Optional: Training of your developers for long-term elimination of code risks