In our experience, in far too many cases, the way companies neglect the security of their SAP system is borderline reckless. It's rare that we come across cases where the infrastructure has been properly hardened and effective authorization management is an everyday priority. That's why most threats are identified far too late.

To assess the risk exposure of your SAP landscape, we identify all the potential attack vectors.

If your company's migration to SAP HANA is right around the corner, our SAP security experts are the ideal partner for safeguarding your systems and ensuring all the necessary security settings before you start your Transition.

Benefit from our experience with successfully implemented projects and individual recommendations for action from our  SAP security experts.
Security & Compliance Audits
SAST CONSULTING: SAP Security & Compliance Audits

Our audits are designed to help you determine your SAP landscape's actual risk exposure and pinpoint areas that are open to potential attacks. They include everything from your infrastructure and SAP system parameters to individual component configurations and authorizations. We can also factor in any custom developments you use, including those based on ABAP or Java.

If your company's migration to SAP HANA or S/4HANA is right around the corner, our audits offer an ideal solution for safeguarding your systems and taking all the necessary security measures before you start your transition.

The seamless transparency you need

Our security and compliance audits are based on SAP's security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001. We also guarantee systematic coverage and analysis of all the relevant check fields through the use of our own certified GRC software, SAST SUITE.

In a final presentation, you'll also receive a detailed breakdown of how your systems deviate from the ideal configuration, along with an analysis of the underlying reasons and resulting risks for your company.

Our project approach at a glance:

  • Review of the mechanisms that control access to your systems
  • Security tests at the network, operating system, and database Level
  • Examination of your standard users' authorizations and the parameters of your SAP systems
  • Inspection of your Internet configurations and encryption Settings
  • Analysis of your critical area-specific and SAP system authorizations
  • Review of your SAP privileges with a focus on critical authorizations and SoD conflicts
  • Evaluation of your authorization, emergency user, and operational concepts
  • Analysis and assessment of your process controls and corresponding organization
Penetration Tests
SAP penetration tests with the SAST consultants

Whether it's external hacking attempts or manipulation from within, our experts can force their way into your SAP systems to simulate various attacks and test the limits of their defenses. This is one of the ways we identify the last remaining technical and system-internal vulnerabilities and entry points.

These pen tests are based on the recommendations from the German Federal Office for Information Security (BSI) and our own proven best-practice scenarios.

Level 1: Black box testing from the Internet

In this first step, we use realistic attack patterns to simulate the typical attempts made by external hackers. Our experts search through publicly accessible databases and inquire with various sources to find the information they need.

The goal is to gain access to your systems without an authenticated user, which involves exploiting technical flaws to execute functions at the database, application, and operating system level.

Level 2: White box testing with User-ID from the intranet

The second step focuses on simulating internal incursions. Here, the detailed knowledge ranges from the skills of the broad workforce to the in-depth system expertise possessed of how IT service providers can acquire.

We conduct our white-box tests manually to uncover the internal weaknesses in your databases, applications, and operating systems.

Our project approach at a glance

  • Realistic attack patterns simulate external hacks and internal manipulations
  • Reveal the vulnerabilities in your SAP systems and authorizations
  • Shed light on the possible ways to access your systems
  • Assess security at the database, application, and operating system level
  • Analysis of the prior knowledge and time horizon required to exploit your security
  • A final presentation that includes documentation of our assessment methods, and tailored recommendations for your company
  • Follow-up workshop where we present the vulnerabilities we've found and explain the specific risks your company faces

Before you subject your SAP systems to the real stresses of our penetration testing, we recommend scheduling our SAP security and compliance audit. This will give you complete transparency regarding the potential risks to your landscape.

System Hardening and Optimization
SAST Consulting: SAP system hardening

To improve your SAP security, we can provide you with a detailed list of measures you should take. Ideally, these will build on the recommendations we make following a corresponding audit. If you wish, we can also aid you in eliminating all the vulnerabilities we find and advise you on securing your systems for the long term.

SAP's standard software doesn't include a comprehensive, centralized means of analyzing the RFC interfaces in your systems. As a result, companies often fail to secure these interfaces properly, technical users are provided with too far-reaching privileges and the trust relationships between systems are rarely documented. In addition, remote database connections can lead to uncontrolled security vulnerabilities.

We know how to find these holes and close them for good.

SAP Security Guidelines
SAST Consulting for custom-fit SAP security guidelines

Our security concepts include guidelines for all the security-related aspects of your SAP ERP and S/4HANA systems. In addition to being based on the recommendations of SAP, DSAG, and BSI, they are mandatory for both the operational level and all the internal and external parties involved.

Source Code Analyses and Cleansing
SAST SUITE: SAP source code security

The number of custom developments and third-party add-ons in SAP systems are continually on the rise. In our experience, however, the quality of the code regarding to its security is not typically high enough and so ABAP coding is increasingly coming into focus as a possible point of attack. Manual source code analyses are, on the other hand, extremely time-consuming and the cleanup requires highly specialized know-how.

Step 1: The vulnerability analysis

Our experts work tool-based with SAP standard tools, extended by proprietary developed security rules. Using SAST Code Vulnerability Analysis, we examine ABAP coding directly in your SAP systems. Together with our proven recommendations for action, you have a perfect basis for the step-by-step elimination of identified risks.

Step 2: Fixing the vulnerabilities

Our security experts support you in closing security gaps and building up knowledge for sustainable risk prevention in your company. We rely on a proven procedure for handling code scan results which also has been approved by auditors. Your advantage: A reduction of the cleansing effort by up to 90%, for example due to the inclusion of context information. Technical-organizational measures allow to even further reduce the number of necessary changes.

You can work with finding-lists of any scanner and are therefore independent of previously used code analysis tools.

Our project approach at a glance

  • Initial workshop: Evaluation of the current situation, explanation of the processes, customer-specific prioritization of risks, determination of the project scope and roles
  • Activating the SAST Code Scans
  • Individual adjustment of the cleaning solution to your protection requirements
  • Optional: Training of your developers for long-term elimination of code risks
"From the experience of our security reviews we know: every system is vulnerable. It is only a question of how difficult it is and how long it takes. Using the right concept, the probability of a successful attack can be significantly reduced."
Florian Wunder, COO SAST SOLUTIONS
— Florian Wunder
COO SAST SOLUTIONS
"Many companies focus on only the most important SAP systems in the context of IT security. We recommend analyzing your entire system landscape: This ensures that vulnerabilities are cleaned up and allows for excellent synergies."
Steffen Maltig, Head of SAP Consulting, SAST SOLUTIONS
— Steffen Maltig
Head of SAST CONSULTING

Further SAST CONSULTING Services

Privacy settings

Click »Info« to see a list of the used cookies. You can give your consent to the required cookies or statistic cookies. The selection is optional. You can change these settings or delete the cookies in the browser at any time. If you select the »Statistics« option, your opt-in consent also extends to processing in the USA, which is considered by the European Court of Justice as a country with an insufficient level of data protection. Please find further information in our privacy statement.
In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group external media
Name YEXT -Search
Technical name yext
Provider Yext GmbH
Expire in days 0
Privacy policy https://www.yext.de/privacy-policy/
Use Enables intelligent search via YEXT.
Allowed
Group external media
Name Google Maps
Technical name googleMaps
Provider
Expire in days 6491
Privacy policy
Use Enables the use of Google Maps.
Allowed
Group external media
Name YouTube
Technical name youTube
Provider
Expire in days 0
Privacy policy
Use Enables the use of the Youtube video player.
Allowed
Group statistics
Name Google Analytics
Technical name _gid,_ga,1P_JAR,ANID,NID,CONSENT,_ga_JT5V6CR8ZH,_gat_gtag_UA_133169400_1,_gat_gtag_UA_141664271_1,_gat_gtag_UA_127185455_1,_gat_gtag_UA_127561508_1,_gat_gtag_UA_194226577_1
Provider Google LLC
Expire in days 730
Privacy policy https://policies.google.com/privacy
Use Cookie by Google for website analysis. Generates anonymous statistical data about how the visitor uses the website.
Allowed
Group essential
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Provider
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Allowed
Group essential
Name Contao HTTPS CSRF Token
Technical name csrf_https-contao_csrf_token
Provider
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Allowed
Group essential
Name PHP SESSION ID
Technical name PHPSESSID
Provider
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Allowed
Group essential
Name FE USER AUTH
Technical name FE_USER_AUTH
Provider
Expire in days 0
Privacy policy
Use Saves information of a visitor as soon as he logs in to the frontend.
Allowed
Group statistics
Name Google Repcatcha
Technical name googleRepcatcha
Provider Google LLC
Expire in days 0
Privacy policy https://policies.google.com/privacy
Use Protect from spam.
Allowed
Group statistics
Name ClickDimensions
Technical name cuvid,cusid,cuvon,cd_optout_accountkey
Provider ClickDimensions
Expire in days 730
Privacy policy https://clickdimensions.com/solutions-security-and-privacy/
Use Cookie from ClickDimensions for website analysis. Generates anonymous statistical information about how the visitor uses the site.
Allowed
Copyright akquinet AG. All Rights Reserved.