The global and independent platform for the SAP community.
IT Management, MAG 23-11

SAP Security Vulnerability Scan

In order to be able to assess the risk potential of SAP landscapes and identify possible points of attack, there are numerous measures that make it a challenge to maintain an overview.
Axel Giese, Pathlock Germany
November 21, 2023
Content:
avatar
This text has been automatically translated from German to English.

The offer ranges from vulnerability scans to audits and penetration tests. However, which approach is the right one for what depends on individual result requirements.

When performing vulnerability scans, also known as vulnerability assessments, SAP systems are scanned automatically or semi-automatically for known vulnerabilities and the results are listed in a tabular report. In the simplest case, this can be a list of the security-relevant parameters of an SAP application server without subjecting them to an assessment. There is therefore no check as to whether the vulnerabilities can be exploited, as would be the case with a penetration test.

In addition, some of the identified vulnerabilities may be so-called "false positives", which are listed but do not pose a threat in the current system context or are system-related. Even if they are not checked for active threats, regular vulnerability scans are still necessary to ensure information security in general and should be repeated at regular intervals. In addition to incorrect parameterization of SAP application servers, a vulnerability scan also detects problems such as missing patches and outdated protocols, certificates and services.

Security and compliance audit

A security and compliance audit is a comprehensive and formal review of the security of a company's systems and security-relevant processes. An SAP audit is therefore a complete and thorough examination not only of physical attributes such as the security of the operating platform, the application server and the network architecture, but also the inspection and check of existing security concepts, for example on topics such as SAP authorizations or the handling of emergency users.

In terms of methodology, the audit involves carrying out a vulnerability scan. In addition, the results are evaluated in the context of the respective system environment and "false positives" are eliminated. The resulting recommendations for action to further secure the SAP systems are much more detailed and in-depth than is possible in a vulnerability scan report, and the informative value of a security and compliance audit with regard to securing SAP systems therefore goes far beyond this, as the results are also subjected to an evaluation, considered in the context of the system environment of the respective company and summarized in a detailed report. It is highly recommended that audits are carried out as initial preparation and after completion of hardening measures as well as in the context of a system or platform migration.

Penetration test

In contrast to vulnerability scans and audits, a penetration test, or pentest for short, attempts to actively exploit vulnerabilities. The automated vulnerability scan is contrasted with a procedure that requires both in-depth specialist knowledge and tools from different areas. A penetration test requires comprehensive planning with regard to the result to be achieved, the method to be applied and the tools to be used. The central goal of a pentest is to identify insecure business processes, incorrect security settings or other vulnerabilities that an attacker could exploit. For example, the transmission of unencrypted passwords, the reuse of default passwords and forgotten databases in which valid user credentials are stored can be uncovered. Pentests do not need to be performed as frequently as vulnerability scans, but it is advisable to repeat them at regular intervals.

Penetration tests should also be carried out by an external provider and not by internal employees. This ensures an objective perspective and avoids conflicts of interest. The external party should have extensive and in-depth experience in the field of information technology, preferably in the company's business area. The ability to apply abstract thinking and anticipate the behavior of threat actors, in addition to a focus on completeness and an understanding of how and why a company's environment could be compromised, is important for performing this service.

Identify weak points

In terms of holistic protection, the three methods result in the best possible protection against vulnerabilities at different intervals. Each test approach, from vulnerability scans to targeted penetration tests, is crucial for a comprehensive security strategy. However, the complexity of SAP applications makes it difficult to consistently adhere to proven security procedures - the sheer volume of logs generated is too large to be scanned manually. It therefore makes sense to rely on the support of external specialists such as Pathlock. In addition to security consulting, where compliance experts with the necessary know-how identify vulnerabilities even for pentests, they offer a range of automated scanning and threat detection solutions.

Pathlock Partner Entry
avatar
Axel Giese, Pathlock Germany


All articles of the author

Write a comment

Continuing to work closely together for the benefit of our joint customers

Is SAP’s Restructuring Program a Hit or a Miss?

ERP Knowledge Gaps

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

May 21 and 22, 2025

Early Bird Ticket

Available until March 1, 2025
€ 490 excl. VAT

Regular ticket:

€ 590 excl. VAT

Venue

Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket
EUR 490 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.