In our experience, in far too many cases, the way companies neglect the security of their SAP system is borderline reckless. It's rare that we come across cases where the infrastructure has been properly hardened and effective authorization management is an everyday priority. That's why most threats are identified far too late.

To assess the risk exposure of your SAP landscape, we identify all the potential attack vectors.

If your company's migration to SAP HANA is right around the corner, our SAP security experts are the ideal partner for safeguarding your systems and ensuring all the necessary security settings before you start your Transition.

Benefit from our experience with successfully implemented projects and individual recommendations for action from our  SAP security experts.
Security & Compliance Audits

Our audits are designed to help you determine your SAP landscape's actual risk exposure and pinpoint areas that are open to potential attacks. They include everything from your infrastructure and SAP system parameters to individual component configurations and authorizations. We can also factor in any custom developments you use, including those based on ABAP or Java.

If your company's migration to SAP HANA or S/4HANA is right around the corner, our audits offer an ideal solution for safeguarding your systems and taking all the necessary security measures before you start your transition.

The seamless transparency you need

Our security and compliance audits are based on SAP's security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001. We also guarantee systematic coverage and analysis of all the relevant check fields through the use of our own certified GRC software, SAST SUITE.

In a final presentation, you'll also receive a detailed breakdown of how your systems deviate from the ideal configuration, along with an analysis of the underlying reasons and resulting risks for your company.

Our project approach at a glance:

  • Review of the mechanisms that control access to your systems
  • Security tests at the network, operating system, and database Level
  • Examination of your standard users' authorizations and the parameters of your SAP systems
  • Inspection of your Internet configurations and encryption Settings
  • Analysis of your critical area-specific and SAP system authorizations
  • Review of your SAP privileges with a focus on critical authorizations and SoD conflicts
  • Evaluation of your authorization, emergency user, and operational concepts
  • Analysis and assessment of your process controls and corresponding organization
Penetration Tests

Whether it's external hacking attempts or manipulation from within, our experts can force their way into your SAP systems to simulate various attacks and test the limits of their defenses. This is one of the ways we identify the last remaining technical and system-internal vulnerabilities and entry points.

These pen tests are based on the recommendations from the German Federal Office for Information Security (BSI) and our own proven best-practice scenarios.

Level 1: Black box testing from the Internet

In this first step, we use realistic attack patterns to simulate the typical attempts made by external hackers. Our experts search through publicly accessible databases and inquire with various sources to find the information they need.

The goal is to gain access to your systems without an authenticated user, which involves exploiting technical flaws to execute functions at the database, application, and operating system level.

Level 2: White box testing with User-ID from the intranet

The second step focuses on simulating internal incursions. Here, the detailed knowledge ranges from the skills of the broad workforce to the in-depth system expertise possessed of how IT service providers can acquire.

We conduct our white-box tests manually to uncover the internal weaknesses in your databases, applications, and operating systems.

Our project approach at a glance

  • Realistic attack patterns simulate external hacks and internal manipulations
  • Reveal the vulnerabilities in your SAP systems and authorizations
  • Shed light on the possible ways to access your systems
  • Assess security at the database, application, and operating system level
  • Analysis of the prior knowledge and time horizon required to exploit your security
  • A final presentation that includes documentation of our assessment methods, and tailored recommendations for your company
  • Follow-up workshop where we present the vulnerabilities we've found and explain the specific risks your company faces

Before you subject your SAP systems to the real stresses of our penetration testing, we recommend scheduling our SAP security and compliance audit. This will give you complete transparency regarding the potential risks to your landscape.

System Hardening and Optimization

To improve your SAP security, we can provide you with a detailed list of measures you should take. Ideally, these will build on the recommendations we make following a corresponding audit. If you wish, we can also aid you in eliminating all the vulnerabilities we find and advise you on securing your systems for the long term.

SAP's standard software doesn't include a comprehensive, centralized means of analyzing the RFC interfaces in your systems. As a result, companies often fail to secure these interfaces properly, technical users are provided with too far-reaching privileges and the trust relationships between systems are rarely documented. In addition, remote database connections can lead to uncontrolled security vulnerabilities.

We know how to find these holes and close them for good.

SAP Security Guidelines
SAST SAP Security Guidelines title

Our security concepts include guidelines for all the security-related aspects of your SAP ERP and S/4HANA systems. In addition to being based on the recommendations of SAP, DSAG, and BSI, they are mandatory for both the operational level and all the internal and external parties involved.

Source Code Analyses and Cleansing

The number of custom developments and third-party add-ons in SAP systems are continually on the rise. In our experience, however, the quality of the code with regard to its security is not typically high enough. And that is no secret to potential attackers. Attackers increasingly have ABAP code in their sights as a possible gateway.

Code Checks

While an analysis of your source code is intended as a first step to increasing your IT security and compliance, it can also be seen as a springboard for improving internal quality. However, manual source code analyses are extremely time consuming and require specialist expertise. This is why our experts leverage tools and use our proprietary SAST Code Advisor.

This module of the SAST SUITE allows us to analyze ABAP code directly in your SAP systems. To further optimize risk assessments, the context of the code is also taken into account, which results in significantly fewer false positives. For you this means that the analysis shows exclusively high-quality results for critical vulnerabilities in your SAP systems. Combine this with our tried and tested recommendations and you have a perfect basis for gradually addressing any findings.

Your developers will continue to benefit from the SAST Code Advisor beyond the analysis phase: They can run ongoing checks on their code and receive tailored reports that provide full transparency into their current security status.

Our project approach at a glance

  • Initial workshop: situational assessment, customer-specific priorities, processes, guidelines and definition of the scope of checks
  • Import and activation of SAST Code Advisor
  • Optional: set-up of regular check runs, integration into your development and transport process, training for your developers on achieving long-term code security
  • Option to check code in a one-time audit

Code Cleansing

Similarly to the analysis, our code cleansing projects are also supported by a tool. Thanks to our SAST Code Remediator, we can significantly reduce the cleansing effort of most finding patterns. For example, locking inactive objects slashes up to 90% of efforts.

We work with finding lists from any scanners, meaning that we are fully independent of the code analysis tool used previously. If you wish, our code security experts can be on standby to advise you during the project or to provide support during code clean-up itself. No matter what you decide, we will individually coordinate the cleansing of any vulnerabilities we find with you. Our Code Cleansing Cockpit enables highly targeted project and task management.

Auditors have accepted this approach and the integrated tool support as a successful measure when the scan results are poor.

Our project approach at a glance

  • Initial workshop: determination of your individual protection requirements, prioritization of vulnerabilities, determination of scope of cleansing, and definition of project roles
  • Individual coordination of cleansing solution with your protection requirements
  • Enhancement of analysis data with context knowledge and locking of inactive objects
  • Technical-organization measures outside of the code reduce the number of code changes still further
  • Partially automated cleansing using the SAST Code Remediator
  • Optional: Safe Go-Live with our Soft Cleansing Approach
"From the experience of our security reviews we know: every system is vulnerable. It is only a question of how difficult it is and how long it takes. Using the right concept, the probability of a successful attack can be significantly reduced."
— Florian Wunder

Further SAST CONSULTING Services

Copyright akquinet AG. All Rights Reserved.