ESNC consultants are publicly acknowledged by SAP for discovery and reporting of more than 100 security vulnerabilities.
Get your systems assessed by the best professionals!
HOW IT WORKS: CHOOSE YOUR SAP SECURITY ASSESSMENT TYPE | DEFINE THE SCOPE | SETUP THE PROJECT DATE FOR EXECUTION
-
OPTION 1 – In-depth SAP Security Analysis
Thoroughly analyze all SAP systems, including ABAP, Java AS, and S/4Hana, Solution Manager, ERP, mobile, Fiori, Business Objects and more. Identify vulnerabilities, such as remote OS command execution, SoD authorizations bypass, and password theft, which can have direct business impact including manipulation of sensitive business transactions and processes, theft of customer data, and corruption of financial information.
Get detailed recommendations about your SAP user setup process and authorization flaws, network connectivity and encryption, patch process, activated services, server to server communication, and implementation of SAP best practices.
-
OPTION 2 – Application Security Assessment
Analyze your ABAP code against OWASP Top 10 vulnerabilities and ABAP specific vulnerabilities, such as ABAP injection, SQL injection, XSS and authentication bypass. Identify ABAP backdoors and mitigate risks based on our guidelines.
ESNC SAP SECURITY AUDIT & ASSESSMENT BENEFITS
-
Focus on Critical Business Risks – Open Gaps
Analyze SAP system security based on business functionality and impact. Identify vulnerability root cause and eliminate risks based on expert guidance.
Get detailed explanation of issues, risks, and recommendations for mitigation, including references to SAP security guidelines.
-
False Positives? We don’t have any
All our security assessments go through an extensive quality check before the final delivery. All our findings are accurate and they provide proper evidence and recommendations for the technical teams and the management to understand the issues and work on the mitigating actions efficiently.
-
Answer to your question “What do we do next?”
Prioritization of the security activities is one of the most important aspects of our SAP security review. Based on the security vulnerabilities in your SAP landscape and the interconnectivity of them, we tell you which SAP security issues you need to focus the most for the quick-wins.
We collaborate with your SAP and security teams and come up with an action plan to focus on the root causes to eliminate the chances that the issues will reappear even after fixing, based on the gaps in your business processes.
-
Threat Analysis – Detection of Existing Breaches and Fraud
The in-depth security assessment includes an analysis of your security logs and business data to detect whether a breach of your system has actually happened.
Did someone steal the customer or supplier list, download payroll information of the employees, change the bank details of a vendor and initiate a purchase? This and many other cases are assessed.
-
Establish SAP Security Baselines
Based on the results, align business requirements with proper security controls and collaborate with our experts to develop SAP security-hardening documents and baselines covering ABAP, SAP Java, SAP BASIS, and user authorizations.
-
Mind blowing Security Charts and Dashboards for Your Management
With our multivector threat analysis feature we analyze interconnectivity of your systems and we present the findings to you with visualizations, you have never seen before. The result is very clear and understandable security posture of all of your SAP systems in scope, which any manager will easily understand and approve, even without any prior SAP knowledge.
-
ESNC’s Expert Advantage
From the time ESNC is established in 2009, ESNC’s sole focus has always been SAP security. ESNC experts have helped many organizations in identification and mitigation of SAP security vulnerabilities. All consultants assigned by ESNC are publicly acknowledged by SAP for discovery of vulnerabilities in SAP standard software.
-
Power and Speed by ESNC Security Suite
ESNC SAP security consultants always use ESNC Security Suite during assessments. This gives them immense speed and accuracy for detecting the security issues and detecting whether the systems are already breached. The SAP security checks and automatic inventory detection done by our software can take man-months if done solely via consultancy.
By introducing security during the design phase of new technologies such as S/4Hana, You can reduce the costs significantly
Fixing issues after implementation is costly. By focusing on SAP S/4Hana security, SAP Hybris security or other individual components such as Fiori during the design phase, you can reduce costs and increase security in the most efficient way
SAP Security Vulnerabilities Discovered and Reported by ESNC
ESNC has discovered and reported critical security issues in SAP’s products, many of which apply to all industry solutions of SAP including Oil & Gas, Utilities, Banking or Automotive.
These SAP security vulnerabilities allow attackers to bypass authorizations restrictions, access business data such as customer or procurement data and manipulate business processes including payment transactions.
Based on the information ESNC supplied, SAP released code corrections (patches) or instructional information for mitigating these issues. SAP publicly acknowledges ESNC.
ESNC also discovered critical vulnerabilities in 3rd party SAP add-ons such as OpenText IXOS or XFT HR solutions.
We support our customers with periodic workshops, risk management services and development of vulnerability management processes specific to SAP systems and applications.
Please contact us directly for effectively reducing risks on your business landscape and for making your SAP security bulletproof.
The following list is a portion of the released SAP security notes, which are based on ESNC’s collaboration with SAP SE (the company) for improving the security of SAP enterprise components, industry solutions and front-end applications such as SAPGUI.
This list is long, so we only included some of the items. Please note that some security patches such as vulnerabilities in SAP GRC resolve multiple vulnerabilities ESNC has discovered and reported:
- ESNC is an active contributor of the security community.
- ESNC presented many vulnerabilities in SAP’s products which allow bypassing authentication, attacking digital certificates, or running remote operating systems commands, resulting in manipulation of business processes and theft of sensitive data.
- ESNC presents its latest research in security conferences such as BlackHat, Defcon, CCC Annual Congress, RISK, Sec-T, so that the right people can take mitigating actions.
- ESNC has developed proven methodologies to assess and secure SAP systems of top enterprises.
- ESNC’s products are updated based on latest threats and discoveries on SAP security research.
- Customers using ESNC’s products can be protected against many of the threats even before SAP patches them.
Location / Industry Solution
Vulnerability Discovered by ESNC
SAP's Patch ID
SAP Oil & Gas Industry - Materials Management
Remote ABAP Code Injection
SAP Security Note 1873131
SAP Automotive Industry - Core Module
Privilege Escalation & SoD Bypass
SAP Security Note 1860258
SAP GRC - Governance Risk and Compliance - Access Control
Privilege Escalation & SoD Bypass, Remote Arbitrary Program Execution
SAP Security Note 2039348
Banking - European Monetary Union
Remote Code Injection
SAP Security Note 1788426
All Industries - Password Cracking Attacks
Password Cracking
SAP Security Note 1484692
SAP Human Resources / Human Capital Management
Remote Arbitrary Program Execution
SAP Security Note 1779317
SAP Utilities Industry, SAP Public Sector, SAP Telecommunications Industry, SAP Media Industry - Contract Accounting
Privilege Escalation & SoD Bypass
SAP Security Note 1851835
All Industries - SAP Security Components (BC-SEC)
Decryption of Usernames and Passwords
SAP Security Note 1902611
SAP Environment, Health and Safety - Regulatory Checks Module
Remote Arbitrary Program Execution
SAP Security Note 1845802
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1902986
SAP Healthcare - Hospitals - Clinical System
Privilege Escalation & SoD Bypass
SAP Security Note 1691744
All Industries - SAP Solution Manager
Remote OS Command Execution
SAP Security Note 1940405
All Industries - Attacks to SAPGUI
Remote OS Command Execution on Connecting Workstations
SAP Security Note 1483525
All Industries - Attacks to SAP Cryptographic Components
Single Sign-on Attacks - Authentication Bypass
SAP Security Note 1497104
SAP Financing Source - Expenditure Certification
Remote Arbitrary Program Execution
SAP Security Note 1840304
All Industries - SAP Message Server Security
Password Sniffing - Man in the Middle
SAP Security Note 1421005
SAP Environment, Health and Safety - Dangerous Goods Management
Privilege Escalation & SoD Bypass
SAP Security Note 1673016
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1791089
SAP Human Resources - Personnel Administration
Remote Arbitrary Program Execution
SAP Security Note 1852738
Business Warehouse - BeX Business Explorer
Remote ABAP Code Injection
SAP Security Note 1885371
SAP Financial Supply Chain Management
Remote ABAP Code Injection
SAP Security Note 1858566
All Industries - Attacks to SAP Cryptographic Components
Bypassing authentication
SAP Security Note 1485029
SAP Java AS - Software Update Manager
Decryption of Usernames and Passwords
SAP Security Note 1842817
SAP Media Industry - Product Master Data Management
Privilege Escalation & SoD Bypass
SAP Security Note 1853040
All Industries - SAP Solution Manager
Admin password disclosure
SAP Security Note 1865109
Business Warehouse
Privilege Escalation & SoD Bypass
SAP Security Note 1971397
SAP Project Management
Privilege Escalation & SoD Bypass
SAP Security Note 1858474
SAP Invoice Management
Privilege Escalation & SoD Bypass
SAP Security Note 2015232
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1902402
Business Warehouse - BEx - Business Explorer
Remote Code Injection
SAP Security Note 1886051
Cost Controlling
Remote ABAP Code Injection
SAP Security Note 1511107
Document Management Services
Remote Arbitrary Program Execution
SAP Security Note 1842826
SAP Project Management
Remote Code Injection
SAP Security Note 1776695
SAP Database Monitors for Oracle
Remote Arbitrary Program Execution
SAP Security Note 1881914
All Industries - Attacks to SAP Transport Management System (TMSADM)
Password Cracking
SAP Security Note 1488406
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1795948
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1792354
Production Planning and Control
Privilege Escalation & SoD Bypass
SAP Security Note 1852955
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1905591
Supply Chain Planning
Privilege Escalation & SoD Bypass
SAP Security Note 1910737
Production Planning and Control
Privilege Escalation & SoD Bypass
SAP Security Note 1537089
Project-Oriented Procurement
Remote Arbitrary Program Execution
SAP Security Note 1862392
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1906568
All Industries - BASIS Communication Services
Remote OS Command Injection
SAP Security Note 1674132
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1856296
Enterprise Service Infrastructure - Web Service Infrastructure
Privilege Escalation & SoD Bypass
SAP Security Note 1776984
All Industries - SAPGUI Frontend Services
Remote Arbitrary Program Execution
SAP Security Note 1750997
SAP LiveCache Applications
Privilege Escalation & SoD Bypass
SAP Security Note 1889999
Basis Components - Administration Assistant
Remote OS Command Injection
SAP Security Note 1668224
Basis Components - Business Management
Privilege Escalation & SoD Bypass
SAP Security Note 1772498
Business Process Library
Remote Arbitrary Program Execution
SAP Security Note 1813734
SAP Customer Relationship Management (CRM)
Privilege Escalation & SoD Bypass
SAP Security Note 1843169
Controlling - Product Cost Planning
Privilege Escalation & SoD Bypass
SAP Security Note 1777228
Custom Development Management
Privilege Escalation & SoD Bypass
SAP Security Note 1771567
All Industries - Schedule Manager
Privilege Escalation & SoD Bypass
SAP Security Note 1771204
SAP Basis Components
Hardcoded Password
SAP Security Note 1774903
Banking - European Monetary Union
Remote Arbitrary Program Execution
SAP Security Note 1870485
SAP Quality Inspection
Privilege Escalation & SoD Bypass
SAP Security Note 1945300
SAP Production Orders
Remote Arbitrary Program Execution
SAP Security Note 1907712