SAP security put to the test

How secure are SAP systems worldwide? The Cybersecurity Resilience Index for SAP provides a data-based answer to this question: it indicates the average percentage of compliant checks per area of responsibility across thousands of SAP systems in SecurityBridge's customer base. The IT security company now secures 8,000 SAP systems worldwide; the index therefore reflects an approximately representative picture of the security situation in all SAP systems worldwide.

Most areas of responsibility are between 58 and 77 percent. This indicates an overall solid security program in areas directly related to application controls and configuration. However, there are significant fluctuations in the areas of governance and integration. SecurityBridge found an index of 100 percent in the area of „Operating Systems“ - at host level, system hardening and controls are therefore mature, consistently enforced and intensively tested. 77 percent in the area of „Development (Code Vulnerability)“ indicates established practices for secure development. This reduces the attack surface through custom abap and repository changes and is a positive indicator for long-term risk mitigation.

Likewise, 77 percent in the area of „Integration“ document a considerable safeguarding of interfaces (RFC, HTTP, TCP/IP), which reduces the risk of lateral movement via cross-system channels. „Identity“ and „Access“ with 73 percent reflect a solid IAM situation, with reliable processes for new hires, transfers and departures as well as authentication controls. Teams are actively managing their accounts and reducing orphaned and privileged access accounts.

Incorrectly managed authorizations

At the lower end of the scale are the areas of „permissions“ (68 percent) and „data protection“ (65 percent) - risk areas that should actually enjoy high priority, as mismanaged permissions and the disclosure of sensitive data are frequent attack vectors for security breaches. Gaps in authorization control are closely related to the attack paths of attackers who work their way up from basic users to elevated privileges. The privacy score directly reflects the risk in terms of GDPR and other regulations, as well as the potential threat of data exfiltration. It signals an ongoing risk if
Access controls and monitoring for sensitive data are not consistently enforced.

SAP Basis weak point

The „SAP Basis“ area, which is the governance and configuration layer underlying all other controls, has the lowest score at 58 percent. Vulnerabilities in this area can undermine logging, audit readiness and overall system assurance, creating a gap in the visibility of misconfigurations across the entire stack. The score indicates frequent misconfigurations or slow remediation cycles, which can impact incident response and forensic capabilities. The immediate focus - based on the results - should be on authorizations, data protection and SAP Basis. Risky or unused authorization profiles should be reviewed or cleaned up and least privilege models implemented.

SecurityBridge also recommends policy-driven corrective measures and continuous monitoring for unusual authorization expansions.

When it comes to data protection, organizations should implement tighter data access controls, move to encryption for storage and transmission, and implement (and monitor) robust data loss prevention measures to reduce the risk of data exfiltration. SAP Basis is well advised to tighten hardening measures, fix misconfigurations and ensure audit logs are enabled and retained. (Source: SecurityBridge)