The global and independent platform for the SAP community.

The path to SAP cyber resilience

The security precautions that IT organizations have taken are not sufficient at the back and front. The measures taken so far simply do not lead to sufficient resilience
Christoph Nagy, SecurityBridge
28 March 2023
it security header
This text has been automatically translated from German to English.

There is a lack of sufficient resilience

All too often, successful cyber attacks on IT infrastructure and SAP applications in the recent past have shown that there is a lack of sufficient resilience. IT organizations are therefore increasingly reviewing their established processes for effectiveness and from an economic perspective.

The problem is that the threat landscape is constantly changing. Criminals are constantly developing new methods of exploitation or discovering previously unknown vulnerabilities. This becomes possible because the settings of the SAP system itself are constantly changing. So to establish SAP cyber resilience, you need to develop procedures that capture every change in the threat and security situation, analyze their security impact, and enable immediate upgrades. 

In the SAP area, occasional reviews as part of IT security audits are often taken as an opportunity to adjust the hardening of SAP systems and question the fundamental security architecture. However, a one-off assessment is unlikely to help solve the problem in the long term. The next audit at the latest will reveal that new vulnerabilities or problems have emerged.

Active management of security measures for SAP applications is therefore necessary.
To this end, the IT landscape and configuration of the SAP systems must be regularly validated and user management and authorization assignments evaluated. Any deviations from the defined security baseline identified in the process can then be immediately translated into adequate responses. The first step toward SAP cyber resilience has been taken.

A security and compliance management of an SAP security platform supports the definition of security policies for all relevant SAP system parameters, critical authorizations and access control lists (ACL). At the same time, it checks whether the configuration complies with the standard.

However, one essential building block is still missing - if you want to implement an effective security monitoring program to detect cyberattacks, you need to track all transactions performed in the SAP application. A real-world example illustrates why regular controls and real-time monitoring are so important: The attacker exploits an unpatched vulnerability in the SAP transport management system (STMS) to put an account he has access to into god mode (for example, SAP_ALL). Once the malicious transport is imported and the credentials are active, it gains access and opens the system's modifiability. Now the attacker creates persistence by changing some system parameters that can be set dynamically, and this without leaving any corresponding log entries!

If the attacked systems had been immune to SAP cyberattacks, such an attack could not have taken place in this form. Because then the vulnerability in SAP STMS, which was fixed in October 2021, would have already been patched. Even if the attacker had been able to exploit the vulnerability, the security platform would have detected the unauthorized granting of administration rights as an anomaly in real-time monitoring and, if activated, removed it by automatic rule. 

However, if the criminals managed to infiltrate the system and even disable relevant security protocols, things could get tricky. They might have installed a "backdoor" to achieve persistence, i.e. created a way to return at a later time. But even if an attacker has managed to find and eliminate a vulnerability, regular vulnerability analysis increases the likelihood that security settings and the custom code base will be tested. SAP cyber resilience thus also protects against backdoor attacks.

Christoph Nagy, SecurityBridge

Christoph Nagy is Managing Director at SecurityBridge

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.