SAP Vulnerability Assessment and SAP Security Audit Services by ESNC

ESNC consultants are publicly acknowledged by SAP for discovery and reporting of more than 100 security vulnerabilities.

Get your systems assessed by the best professionals!



HOW IT WORKS: CHOOSE YOUR SAP SECURITY ASSESSMENT TYPE  | DEFINE THE SCOPE | SETUP THE PROJECT DATE FOR EXECUTION

  • List item image

    OPTION 1 – In-depth SAP Security Analysis

    Thoroughly analyze all SAP systems, including ABAP, Java AS, and S/4Hana, Solution Manager, ERP, mobile, Fiori, Business Objects and more. Identify vulnerabilities, such as remote OS command execution, SoD authorizations bypass, and password theft, which can have direct business impact including manipulation of sensitive business transactions and processes, theft of customer data, and corruption of financial information.

    Get detailed recommendations about your SAP user setup process and authorization flaws, network connectivity and encryption, patch process, activated services, server to server communication, and implementation of SAP best practices.


  • List item image

    OPTION 2 – Application Security Assessment

    Analyze your ABAP code against OWASP Top 10 vulnerabilities and ABAP specific vulnerabilities, such as ABAP injection, SQL injection, XSS and authentication bypass. Identify ABAP backdoors and mitigate risks based on our guidelines.


ESNC SAP SECURITY AUDIT & ASSESSMENT BENEFITS

  • List item image

    Focus on Critical Business Risks – Open Gaps

    Analyze SAP system security based on business functionality and impact. Identify vulnerability root cause and eliminate risks based on expert guidance.

    Get detailed explanation of issues, risks, and recommendations for mitigation, including references to SAP security guidelines.


  • List item image

    False Positives? We don’t have any

    All our security assessments go through an extensive quality check before the final delivery. All our findings are accurate and they provide proper evidence and recommendations for the technical teams and the management to understand the issues and work on the mitigating actions efficiently.


  • List item image

    Answer to your question “What do we do next?”

    Prioritization of the security activities is one of the most important aspects of our SAP security review. Based on the security vulnerabilities in your SAP landscape and the interconnectivity of them, we tell you which SAP security issues you need to focus the most for the quick-wins.

    We collaborate with your SAP and security teams and come up with an action plan to focus on the root causes to eliminate the chances that the issues will reappear even after fixing, based on the gaps in your business processes.


  • List item image

    Threat Analysis – Detection of Existing Breaches and Fraud

    The in-depth security assessment includes an analysis of your security logs and business data to detect whether a breach of your system has actually happened.

    Did someone steal the customer or supplier list, download payroll information of the employees, change the bank details of a vendor and initiate a purchase? This and many other cases are assessed.


  • List item image

    Establish SAP Security Baselines

    Based on the results, align business requirements with proper security controls and collaborate with our experts to develop SAP security-hardening documents and baselines covering ABAP, SAP Java, SAP BASIS, and user authorizations.


  • List item image

    Mind blowing Security Charts and Dashboards for Your Management

    With our multivector threat analysis feature we analyze interconnectivity of your systems and we present the findings to you with visualizations, you have never seen before. The result is very clear and understandable security posture of all of your SAP systems in scope, which any manager will easily understand and approve, even without any prior SAP knowledge.


  • List item image

    ESNC’s Expert Advantage

    From the time ESNC is established in 2009, ESNC’s sole focus has always been SAP security. ESNC experts have helped many organizations in identification and mitigation of SAP security vulnerabilities. All consultants assigned by ESNC are publicly acknowledged by SAP for discovery of vulnerabilities in SAP standard software.


  • List item image

    Power and Speed by ESNC Security Suite

    ESNC SAP security consultants always use ESNC Security Suite during assessments. This gives them immense speed and accuracy for detecting the security issues and detecting whether the systems are already breached. The SAP security checks and automatic inventory detection done by our software can take man-months if done solely via consultancy.


By introducing security during the design phase of new technologies such as S/4Hana, You can reduce the costs significantly

Fixing issues after implementation is costly. By focusing on SAP S/4Hana security, SAP Hybris security or other individual components such as Fiori during the design phase, you can reduce costs and increase security in the most efficient way

didyouknow

SAP Security Vulnerabilities Discovered and Reported by ESNC

ESNC has discovered and reported critical security issues in SAP’s products, many of which apply to all industry solutions of SAP including Oil & Gas, Utilities, Banking or Automotive. 

These SAP security vulnerabilities allow attackers to bypass authorizations restrictions, access business data such as customer or procurement data and manipulate business processes including payment transactions.

Based on the information ESNC supplied, SAP released code corrections (patches) or instructional information for mitigating these issues. SAP publicly acknowledges ESNC.

ESNC also discovered critical vulnerabilities in 3rd party SAP add-ons such as OpenText IXOS or XFT HR solutions.

We support our customers with periodic workshops, risk management services and development of vulnerability management processes specific to SAP systems and applications. 

Please contact us directly for effectively reducing risks on your business landscape and for making your SAP security bulletproof.

The following list is a portion of the released SAP security notes, which are based on ESNC’s collaboration with SAP SE (the company) for improving the security of SAP enterprise components, industry solutions and front-end applications such as SAPGUI.

This list is long, so we only included some of the items. Please note that some security patches such as vulnerabilities in SAP GRC resolve multiple vulnerabilities ESNC has discovered and reported:

  • ESNC is an active contributor of the security community.
  • ESNC presented many vulnerabilities in SAP’s products which allow bypassing authentication, attacking digital certificates, or running remote operating systems commands, resulting in manipulation of business processes and theft of sensitive data.
  • ESNC presents its latest research in security conferences such as BlackHat, Defcon, CCC Annual Congress, RISK, Sec-T, so that the right people can take mitigating actions.
  • ESNC has developed proven methodologies to assess and secure SAP systems of top enterprises.
  • ESNC’s products are updated based on latest threats and discoveries on SAP security research.
  • Customers using ESNC’s products can be protected against many of the threats even before SAP patches them.

Location / Industry Solution Vulnerability Discovered by ESNC SAP's Patch ID
SAP Oil & Gas Industry - Materials Management Remote ABAP Code Injection SAP Security Note 1873131
SAP Automotive Industry - Core Module Privilege Escalation & SoD Bypass SAP Security Note 1860258
SAP GRC - Governance Risk and Compliance - Access Control Privilege Escalation & SoD Bypass, Remote Arbitrary Program Execution SAP Security Note 2039348
Banking - European Monetary Union Remote Code Injection SAP Security Note 1788426
All Industries - Password Cracking Attacks Password Cracking SAP Security Note 1484692
SAP Human Resources / Human Capital Management Remote Arbitrary Program Execution SAP Security Note 1779317
SAP Utilities Industry, SAP Public Sector, SAP Telecommunications Industry, SAP Media Industry - Contract Accounting Privilege Escalation & SoD Bypass SAP Security Note 1851835
All Industries - SAP Security Components (BC-SEC) Decryption of Usernames and Passwords SAP Security Note 1902611
SAP Environment, Health and Safety - Regulatory Checks Module Remote Arbitrary Program Execution SAP Security Note 1845802
SAP Customer Relationship Management (CRM) Privilege Escalation & SoD Bypass SAP Security Note 1902986
SAP Healthcare - Hospitals - Clinical System Privilege Escalation & SoD Bypass SAP Security Note 1691744
All Industries - SAP Solution Manager Remote OS Command Execution SAP Security Note 1940405
All Industries - Attacks to SAPGUI Remote OS Command Execution on Connecting Workstations SAP Security Note 1483525
All Industries - Attacks to SAP Cryptographic Components Single Sign-on Attacks - Authentication Bypass SAP Security Note 1497104
SAP Financing Source - Expenditure Certification Remote Arbitrary Program Execution SAP Security Note 1840304
All Industries - SAP Message Server Security Password Sniffing - Man in the Middle SAP Security Note 1421005
SAP Environment, Health and Safety - Dangerous Goods Management Privilege Escalation & SoD Bypass SAP Security Note 1673016
Banking - European Monetary Union Remote Arbitrary Program Execution SAP Security Note 1791089
SAP Human Resources - Personnel Administration Remote Arbitrary Program Execution SAP Security Note 1852738
Business Warehouse - BeX Business Explorer Remote ABAP Code Injection SAP Security Note 1885371
SAP Financial Supply Chain Management Remote ABAP Code Injection SAP Security Note 1858566
All Industries - Attacks to SAP Cryptographic Components Bypassing authentication SAP Security Note 1485029
SAP Java AS - Software Update Manager Decryption of Usernames and Passwords SAP Security Note 1842817
SAP Media Industry - Product Master Data Management Privilege Escalation & SoD Bypass SAP Security Note 1853040
All Industries - SAP Solution Manager Admin password disclosure SAP Security Note 1865109
Business Warehouse Privilege Escalation & SoD Bypass SAP Security Note 1971397
SAP Project Management Privilege Escalation & SoD Bypass SAP Security Note 1858474
SAP Invoice Management Privilege Escalation & SoD Bypass SAP Security Note 2015232
SAP Customer Relationship Management (CRM) Privilege Escalation & SoD Bypass SAP Security Note 1902402
Business Warehouse - BEx - Business Explorer Remote Code Injection SAP Security Note 1886051
Cost Controlling Remote ABAP Code Injection SAP Security Note 1511107
Document Management Services Remote Arbitrary Program Execution SAP Security Note 1842826
SAP Project Management Remote Code Injection SAP Security Note 1776695
SAP Database Monitors for Oracle Remote Arbitrary Program Execution SAP Security Note 1881914
All Industries - Attacks to SAP Transport Management System (TMSADM) Password Cracking SAP Security Note 1488406
Banking - European Monetary Union Remote Arbitrary Program Execution SAP Security Note 1795948
Banking - European Monetary Union Remote Arbitrary Program Execution SAP Security Note 1792354
Production Planning and Control Privilege Escalation & SoD Bypass SAP Security Note 1852955
SAP Customer Relationship Management (CRM) Privilege Escalation & SoD Bypass SAP Security Note 1905591
Supply Chain Planning Privilege Escalation & SoD Bypass SAP Security Note 1910737
Production Planning and Control Privilege Escalation & SoD Bypass SAP Security Note 1537089
Project-Oriented Procurement Remote Arbitrary Program Execution SAP Security Note 1862392
SAP Customer Relationship Management (CRM) Privilege Escalation & SoD Bypass SAP Security Note 1906568
All Industries - BASIS Communication Services Remote OS Command Injection SAP Security Note 1674132
Banking - European Monetary Union Remote Arbitrary Program Execution SAP Security Note 1856296
Enterprise Service Infrastructure - Web Service Infrastructure Privilege Escalation & SoD Bypass SAP Security Note 1776984
All Industries - SAPGUI Frontend Services Remote Arbitrary Program Execution SAP Security Note 1750997
SAP LiveCache Applications Privilege Escalation & SoD Bypass SAP Security Note 1889999
Basis Components - Administration Assistant Remote OS Command Injection SAP Security Note 1668224
Basis Components - Business Management Privilege Escalation & SoD Bypass SAP Security Note 1772498
Business Process Library Remote Arbitrary Program Execution SAP Security Note 1813734
SAP Customer Relationship Management (CRM) Privilege Escalation & SoD Bypass SAP Security Note 1843169
Controlling - Product Cost Planning Privilege Escalation & SoD Bypass SAP Security Note 1777228
Custom Development Management Privilege Escalation & SoD Bypass SAP Security Note 1771567
All Industries - Schedule Manager Privilege Escalation & SoD Bypass SAP Security Note 1771204
SAP Basis Components Hardcoded Password SAP Security Note 1774903
Banking - European Monetary Union Remote Arbitrary Program Execution SAP Security Note 1870485
SAP Quality Inspection Privilege Escalation & SoD Bypass SAP Security Note 1945300
SAP Production Orders Remote Arbitrary Program Execution SAP Security Note 1907712