The global and independent platform for the SAP community.

The crux with SAP interfaces

Unprotected SAP interfaces open the door to hackers. Many companies are aware of this, but still do not have adequate security measures in place. What is needed are solutions with which the interfaces can be analyzed and monitored across the board.
Oleksandr Panchenko, Virtual Forge
February 14, 2018
The crux with SAP interfaces
avatar
This text has been automatically translated from German to English.

SAP system environments are constantly growing and changing. This is due to general market developments, such as globalization, which leads to increasingly complex business processes. Companies are expanding, merging and acquiring other companies. Added to this are new digitization trends, for example cloud computing and Industry 4.0, which require increasingly strong IT networking.

Over the years, this has resulted in heterogeneous system landscapes in many places with up to several thousand data interfaces connecting SAP applications with each other, but also with non-SAP systems.

In addition to the well-known interfaces, there are several that the system administrators are not even aware of as such, such as unauthorized downloads of lists via the SAP GUI, direct access to the database or communication with external systems.

Loophole for data thieves

If these interfaces are outdated, incorrectly configured or inadequately protected, they offer hackers attractive gateways to access information. Data thieves, economic spies and saboteurs are then able to copy, change or delete entire data sets and thus falsify the balance sheet result or shut down the SAP system completely.

This can have considerable financial and legal consequences for a company, and its reputation also suffers. The pressure is intensified by increasingly strict statutory data protection laws, such as the new EU General Data Protection Regulation (GDPR), which is mandatory from May 25, 2018.

The EU GDPR standardizes the rules for the processing of personal data by companies and public institutions throughout the EU. These will be obliged to take appropriate technical and organizational measures to protect personal data, for example, against processing by unauthorized persons and against accidental loss.

In addition, the documentation requirements will be tightened compared to the previously applicable data protection regulations: For example, the data controller should be able to prove compliance with the EU GDPR guidelines. Violations are punishable by high fines of up to 20 million euros or up to 4 percent of a company's annual global sales.

Although the risks of unsecured SAP interfaces have long been known, most companies do not have the problem under control - mainly because there is no comprehensive transparency about the existing interfaces.

Oleksandr Panchenko Infra 1802

No central documentation

As a rule, there is no central office that has complete documentation of all interfaces and the data exchanged via them. Often, the departments negotiate the interfaces of their SAP systems directly with the customers, suppliers or system manufacturers without this being included in a cross-company inventory.

Thus, it is hardly possible for companies to continuously evaluate and monitor the current SAP interfaces in order to protect them against possible attacks. Nor are they in a position to comply with the provisions of the EU GDPR, since they do not even know exactly which SAP interfaces are or can be used to exchange personal information at all.

Without this knowledge, however, they cannot prove that they have secured the relevant interfaces in accordance with the state of the art in order to protect the personal data from unauthorized access or accidental leakage.

A lot of effort for manual analyses

To avoid such problems and gain transparency about their interface landscape, some companies already rely on manual analyses of the safety-critical parameters of the interfaces and runtime statistics.

However, these evaluations can usually only be carried out on a random basis, as they are enormously time-consuming. Similar limitations exist in the use of various analysis tools offered on the market.

There are three main reasons for this. First, the existing solutions focus on the evaluation of individual interface technologies, as they can be found side by side in large numbers in an evolved SAP system environment: for example, Remote Function Call (RFC), HTTP, FTP, Java Connector (JCo) and many others.

Anyone who wants to gain as complete an overview as possible of the interfaces currently available must therefore analyze each technology individually and consolidate the results manually: This time and cost expenditure is also considerable.

Available solutions are not enough

Another disadvantage of the available solutions is that they analyze the interfaces and data flows only locally, i.e., from a single system. However, to obtain as complete a picture as possible of the communication relationships within an SAP system landscape, each interface must be evaluated on both sides.

Many conventional analysis tools focus on just one problem, such as the question of which data is downloaded via the SAP GUI. In any case, clarity about the existing interface landscape is achieved only selectively.

Companies can gain a complete overview with solutions such as Virtual Forge InterfaceProfiler. They can create a model or set of rules for the desired SAP system and interface landscape and compare it with the information collected on an ongoing basis (target/actual analysis).

In the process, the deviations are reported and documented. Starting from a central SAP system, the InterfaceProfiler analyzes the communication relationships of the entire system environment.

The results are presented graphically and logs of the vulnerabilities found, including their criticality, are generated. In addition, suggestions are made for possible improvements to the security and technical design of the interfaces.

With special security functions, it is possible to counter numerous risks in daily system operation at the push of a button, such as blocking authorizations to download results lists in the SAP GUI.

Likewise, copy-and-paste operations of ALV lists can be avoided. The permissions can be displayed clearly and finely granular in the cockpit of the InterfaceProfiler - an important requirement to comply with the GDPR.

A monitoring component provides information about interfaces that are still technically functional but have not been used for some time. In addition, the usage intervals of interfaces that are still in use can be determined and unauthorized, unscheduled interface activities can thus be identified. All events are logged extensively and can be actively reported.

 

https://e3mag.com/partners/virtual-forge-gmbh/

avatar
Oleksandr Panchenko, Virtual Forge

Oleksandr Panchenko leads the development of InterfaceProfiler at Virtual Forge.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

FourSide Hotel Salzburg,
Trademark Collection by Wyndham
Am Messezentrum 2, 5020 Salzburg, Austria
+43-66-24355460

Event date

Wednesday, June 10, and
Thursday, June 11, 2026

Early Bird Ticket

Regular ticket

EUR 390 excl. VAT
available until 1.10.2025
EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, April 22 and
Thursday, April 23, 2026

Tickets

Regular ticket
EUR 590 excl. VAT
Subscribers to the E3 magazine
reduced with promocode STAbo26
EUR 390 excl. VAT
Students*
reduced with promocode STStud26.
Please send proof of studies by e-mail to office@b4bmedia.net.
EUR 290 excl. VAT
*The first 10 tickets are free of charge for students. Try your luck! 🍀
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2026, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.