diamond_full diamond diamond_half diamond_euro search-icon menu chat-icon close-icon envelope-icon smartphone-call-icon

SAP Security Assessment

What is a SAP Security Assessment?

SAP systems are critical business assets that manage essential processes, financial operations, and confidential enterprise data. These systems are frequently targeted by malicious actors due to their importance in managing core business operations and financial transactions. Security breaches in SAP environments can result in substantial consequences, including data theft, financial damage, disruption of operations, and compliance violations. Protecting these critical systems requires a comprehensive security assessment approach.

A SAP Security Assessment by SCHUTZWERK provides you with a detailed analysis of your entire SAP landscape from an attacker’s perspective. Our experts identify critical vulnerabilities in the SAP system, authorization concepts, and custom code before attackers can exploit them.

placeholder for background/authentication-failed.jpg

Objective

Identification of vulnerabilities in SAP systems and risk assessment for specific threat scenarios

Question

How secure is your SAP system? What damage can external attackers and malicious users cause in the worst case?

Scope

SAP systems including their interfaces, configurations, authorizations, and connected systems

SAP Security Assessment Process: Methodology & Approach

Our SAP Security Assessment follows a structured methodology to thoroughly evaluate your SAP landscape. The process begins with comprehensive scoping to define which systems and applications will be examined. Using a white-box approach, our security experts collaborate with your SAP Basis team, application developers, and security monitoring teams to gain a deep understanding of your SAP architecture.

During the assessment, our specialists first examine system configurations, profile parameters, and security settings, comparing them against SAP security baseline recommendations. We then analyze critical authorizations, custom code vulnerabilities, and application security risks. Taking both external attacker and internal malicious user perspectives, we identify potential attack vectors across your entire SAP landscape.

Since SAP systems are business-critical, we take special precautions during testing. Vulnerabilities are manually verified, with potentially high-risk exploits tested first in isolated environments before being confirmed in quality assurance systems, avoiding any negative impact on your production environment.

In general, the assessment is based on the approach of an examination that is as comprehensive as possible. However, depending on the type of application or system and the relevant threats, a risk-based approach is also possible (comparable to a penetration test ). In this case, the focus is on particularly security-critical or endangered areas, whereby the scope of the test is determined by the time budget agreed upon in advance.

Regarding SAP security, we adhere to the guidelines of international organizations such as DSAG (German SAP User Group) and SAP’s own security recommendations.

Core Components of a SCHUTZWERK SAP Security Assessment

The SAP Penetration Test covers a wide range of aspects to ensure comprehensive security analysis of your SAP landscape and individual systems. These include:

System Hardening & Configuration Analysis

  • Assessment of SAP system configuration (profile parameters, gateway services, etc.) against official SAP Security Baseline templates
  • Review of database configuration security for SAP HANA or other database platforms
  • Evaluation of network security measures, segmentation, and access controls for SAP systems
  • Analysis of SAP kernel security settings and critical system parameters

Authentication & Authorization Security

  • Review of user management practices and password policy implementations
  • In-depth analysis of role and authorization concepts with focus on critical combinations
  • Detailed evaluation of privileged access rights that could lead to privilege escalation
  • Assessment of emergency users and technical user management
  • Detection of excessive authorization patterns across the SAP landscape

Interface Security & Integration Testing

  • Analysis of RFC connections and their security configurations
  • Assessment of web service security and API protection mechanisms
  • Evaluation of trusted system relationships and proper authentication implementations
  • Review of integration points with third-party systems and potential security gaps

Custom Code Security Analysis

  • Custom code review focusing on authorization checks and critical functions
  • UI5/Fiori application security assessment including client-side controls
  • Detection of SQL injection vulnerabilities and other code-level security issues
  • Review of custom development processes for security integration

Security Monitoring & Incident Detection

  • Evaluation of the effectiveness of SAP Enterprise Threat Detection (ETD)
  • Assessment of FRUN monitoring capabilities and alert configurations
  • Verification of detection capabilities against common attack patterns
  • Analysis of security-relevant audit logging and log retention policies

Practical Testing & Validation

  • Controlled exploitation of identified vulnerabilities in isolated environments
  • Verification of attack vectors with minimal risk to production systems
  • Privilege escalation attempts to demonstrate real-world impact
  • Assessment of evasion techniques against security monitoring systems

Collaborating with your SAP Basis team, SAP authorization team, application developers, and security personnel, we ensure that the assessment addresses your specific requirements. All findings receive practical risk ratings and actionable remediation advice tailored to your environment.

SAP Security Assessment Results & Deliverables

As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:

  • Management summary with a description of the results and the security level
  • Description of the project approach, scope, schedule and methodology
  • Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
  • Detailed description of the iterative exploitation process when using chained vulnerabilities
  • Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
  • Description of measures to remedy the vulnerabilities
  • If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.

SAP Security Assessment and Relevant Regulations & Standards

SAP systems are subject to numerous regulatory requirements due to their business-critical nature and the sensitive data they process. A professional SAP Security Assessment helps you meet these compliance requirements:

  • ISO 27001 - For certification according to this internationally recognized standard for information security, the assessment of critical enterprise systems like SAP is essential. Regular SAP Security Assessments support the implementation of controls A.8.8 (Technical vulnerability management) and A.8.29 (Security testing in development and acceptance) and provide important evidence for your Information Security Management System (ISMS).

  • GDPR (General Data Protection Regulation) - As SAP systems often process personal data, a security assessment helps ensure the integrity and confidentiality of this data in accordance with Articles 5 and 32 of the GDPR.

  • TISAX (Trusted Information Security Assessment Exchange) - In the automotive industry, the security of SAP systems, which often serve as central ERP systems, is particularly important. A SAP Security Assessment fulfills TISAX requirements for securing business-critical applications.

  • GoBD (Principles for the Proper Keeping and Preservation of Books, Records and Documents in Electronic Form) - As SAP systems in Germany often manage tax and accounting relevant data, a security assessment supports GoBD requirements for data security and immutability of this information.

  • DORA (Digital Operational Resilience Act) - This EU regulation for the financial sector introduces requirements for ICT risk management, which includes security testing of critical systems like SAP. SAP Security Assessments help financial institutions meet DORA requirements by identifying vulnerabilities in business-critical SAP systems that process financial data, supporting operational resilience and risk management objectives.

To comprehensively secure your SAP environment, we recommend the following services in addition to a SAP Security Assessment:

  • Penetration Testing for comprehensive testing of the IT infrastructure hosting your SAP systems

How can we help you?

Call us or schedule an appointment directly

+49 731 977 191 - 0 Schedule an appointment
Free Consultation