SAP Vulnerability Assessment and SAP Security Audit Services by ESNC

ESNC consultants are publicly acknowledged by SAP for discovery and reporting of more than 100 security vulnerabilities.

Get your systems assessed by the best professionals!

HOW IT WORKS: CHOOSE YOUR SAP SECURITY ASSESSMENT TYPE  | DEFINE THE SCOPE | SETUP THE PROJECT DATE FOR EXECUTION

  • OPTION 1 – In-depth SAP Security Analysis

    Thoroughly analyze all SAP systems, including ABAP, Java AS, and S/4Hana, Solution Manager, ERP, mobile, Fiori, Business Objects and more. Identify vulnerabilities, such as remote OS command execution, SoD authorizations bypass, and password theft, which can have direct business impact including manipulation of sensitive business transactions and processes, theft of customer data, and corruption of financial information.

    Get detailed recommendations about your SAP user setup process and authorization flaws, network connectivity and encryption, patch process, activated services, server to server communication, and implementation of SAP best practices.


  • OPTION 2 – Application Security Assessment

    Analyze your ABAP code against OWASP Top 10 vulnerabilities and ABAP specific vulnerabilities, such as ABAP injection, SQL injection, XSS and authentication bypass. Identify ABAP backdoors and mitigate risks based on our guidelines.


ESNC SAP SECURITY AUDIT & ASSESSMENT BENEFITS

  • Focus on Critical Business Risks – Open Gaps

    Analyze SAP system security based on business functionality and impact. Identify vulnerability root cause and eliminate risks based on expert guidance.

    Get detailed explanation of issues, risks, and recommendations for mitigation, including references to SAP security guidelines.


  • False Positives? We don’t have any

    All our security assessments go through an extensive quality check before the final delivery. All our findings are accurate and they provide proper evidence and recommendations for the technical teams and the management to understand the issues and work on the mitigating actions efficiently.


  • Answer to your question “What do we do next?”

    Prioritization of the security activities is one of the most important aspects of our SAP security review. Based on the security vulnerabilities in your SAP landscape and the interconnectivity of them, we tell you which SAP security issues you need to focus the most for the quick-wins.

    We collaborate with your SAP and security teams and come up with an action plan to focus on the root causes to eliminate the chances that the issues will reappear even after fixing, based on the gaps in your business processes.


  • Threat Analysis – Detection of Existing Breaches and Fraud

    The in-depth security assessment includes an analysis of your security logs and business data to detect whether a breach of your system has actually happened.

    Did someone steal the customer or supplier list, download payroll information of the employees, change the bank details of a vendor and initiate a purchase? This and many other cases are assessed.


  • Establish SAP Security Baselines

    Based on the results, align business requirements with proper security controls and collaborate with our experts to develop SAP security-hardening documents and baselines covering ABAP, SAP Java, SAP BASIS, and user authorizations.


  • Mind blowing Security Charts and Dashboards for Your Management

    With our multivector threat analysis feature we analyze interconnectivity of your systems and we present the findings to you with visualizations, you have never seen before. The result is very clear and understandable security posture of all of your SAP systems in scope, which any manager will easily understand and approve, even without any prior SAP knowledge.


  • ESNC’s Expert Advantage

    From the time ESNC is established in 2009, ESNC’s sole focus has always been SAP security. ESNC experts have helped many organizations in identification and mitigation of SAP security vulnerabilities. All consultants assigned by ESNC are publicly acknowledged by SAP for discovery of vulnerabilities in SAP standard software.


  • Power and Speed by ESNC Security Suite

    ESNC SAP security consultants always use ESNC Security Suite during assessments. This gives them immense speed and accuracy for detecting the security issues and detecting whether the systems are already breached. The SAP security checks and automatic inventory detection done by our software can take man-months if done solely via consultancy.


By introducing security during the design phase of new technologies such as S/4Hana, You can reduce the costs significantly

Fixing issues after implementation is costly. By focusing on SAP S/4Hana security, SAP Hybris security or other individual components such as Fiori during the design phase, you can reduce costs and increase security in the most efficient way

didyouknow

SAP Security Vulnerabilities Discovered and Reported by ESNC

ESNC has discovered and reported critical security issues in SAP’s products, many of which apply to all industry solutions of SAP including Oil & Gas, Utilities, Banking or Automotive. 

These SAP security vulnerabilities allow attackers to bypass authorizations restrictions, access business data such as customer or procurement data and manipulate business processes including payment transactions.

Based on the information ESNC supplied, SAP released code corrections (patches) or instructional information for mitigating these issues. SAP publicly acknowledges ESNC.

ESNC also discovered critical vulnerabilities in 3rd party SAP add-ons such as OpenText IXOS or XFT HR solutions.

We support our customers with periodic workshops, risk management services and development of vulnerability management processes specific to SAP systems and applications. 

Please contact us directly for effectively reducing risks on your business landscape and for making your SAP security bulletproof.

The following list is a portion of the released SAP security notes, which are based on ESNC’s collaboration with SAP SE (the company) for improving the security of SAP enterprise components, industry solutions and front-end applications such as SAPGUI.

This list is long, so we only included some of the items. Please note that some security patches such as vulnerabilities in SAP GRC resolve multiple vulnerabilities ESNC has discovered and reported:

  • ESNC is an active contributor of the security community.
  • ESNC presented many vulnerabilities in SAP’s products which allow bypassing authentication, attacking digital certificates, or running remote operating systems commands, resulting in manipulation of business processes and theft of sensitive data.
  • ESNC presents its latest research in security conferences such as BlackHat, Defcon, CCC Annual Congress, RISK, Sec-T, so that the right people can take mitigating actions.
  • ESNC has developed proven methodologies to assess and secure SAP systems of top enterprises.
  • ESNC’s products are updated based on latest threats and discoveries on SAP security research.
  • Customers using ESNC’s products can be protected against many of the threats even before SAP patches them.

Location / Industry SolutionVulnerability Discovered by ESNCSAP's Patch ID
SAP Oil & Gas Industry - Materials ManagementRemote ABAP Code InjectionSAP Security Note 1873131
SAP Automotive Industry - Core ModulePrivilege Escalation & SoD BypassSAP Security Note 1860258
SAP GRC - Governance Risk and Compliance - Access ControlPrivilege Escalation & SoD Bypass, Remote Arbitrary Program ExecutionSAP Security Note 2039348
Banking - European Monetary UnionRemote Code InjectionSAP Security Note 1788426
All Industries - Password Cracking AttacksPassword CrackingSAP Security Note 1484692
SAP Human Resources / Human Capital ManagementRemote Arbitrary Program ExecutionSAP Security Note 1779317
SAP Utilities Industry, SAP Public Sector, SAP Telecommunications Industry, SAP Media Industry - Contract AccountingPrivilege Escalation & SoD BypassSAP Security Note 1851835
All Industries - SAP Security Components (BC-SEC)Decryption of Usernames and PasswordsSAP Security Note 1902611
SAP Environment, Health and Safety - Regulatory Checks ModuleRemote Arbitrary Program ExecutionSAP Security Note 1845802
SAP Customer Relationship Management (CRM)Privilege Escalation & SoD BypassSAP Security Note 1902986
SAP Healthcare - Hospitals - Clinical SystemPrivilege Escalation & SoD BypassSAP Security Note 1691744
All Industries - SAP Solution ManagerRemote OS Command ExecutionSAP Security Note 1940405
All Industries - Attacks to SAPGUIRemote OS Command Execution on Connecting WorkstationsSAP Security Note 1483525
All Industries - Attacks to SAP Cryptographic ComponentsSingle Sign-on Attacks - Authentication BypassSAP Security Note 1497104
SAP Financing Source - Expenditure CertificationRemote Arbitrary Program ExecutionSAP Security Note 1840304
All Industries - SAP Message Server SecurityPassword Sniffing - Man in the MiddleSAP Security Note 1421005
SAP Environment, Health and Safety - Dangerous Goods ManagementPrivilege Escalation & SoD BypassSAP Security Note 1673016
Banking - European Monetary UnionRemote Arbitrary Program ExecutionSAP Security Note 1791089
SAP Human Resources - Personnel AdministrationRemote Arbitrary Program ExecutionSAP Security Note 1852738
Business Warehouse - BeX Business ExplorerRemote ABAP Code InjectionSAP Security Note 1885371
SAP Financial Supply Chain ManagementRemote ABAP Code InjectionSAP Security Note 1858566
All Industries - Attacks to SAP Cryptographic ComponentsBypassing authenticationSAP Security Note 1485029
SAP Java AS - Software Update ManagerDecryption of Usernames and PasswordsSAP Security Note 1842817
SAP Media Industry - Product Master Data ManagementPrivilege Escalation & SoD BypassSAP Security Note 1853040
All Industries - SAP Solution ManagerAdmin password disclosureSAP Security Note 1865109
Business WarehousePrivilege Escalation & SoD BypassSAP Security Note 1971397
SAP Project ManagementPrivilege Escalation & SoD BypassSAP Security Note 1858474
SAP Invoice ManagementPrivilege Escalation & SoD BypassSAP Security Note 2015232
SAP Customer Relationship Management (CRM)Privilege Escalation & SoD BypassSAP Security Note 1902402
Business Warehouse - BEx - Business ExplorerRemote Code InjectionSAP Security Note 1886051
Cost ControllingRemote ABAP Code InjectionSAP Security Note 1511107
Document Management ServicesRemote Arbitrary Program ExecutionSAP Security Note 1842826
SAP Project ManagementRemote Code InjectionSAP Security Note 1776695
SAP Database Monitors for OracleRemote Arbitrary Program ExecutionSAP Security Note 1881914
All Industries - Attacks to SAP Transport Management System (TMSADM)Password CrackingSAP Security Note 1488406
Banking - European Monetary UnionRemote Arbitrary Program ExecutionSAP Security Note 1795948
Banking - European Monetary UnionRemote Arbitrary Program ExecutionSAP Security Note 1792354
Production Planning and ControlPrivilege Escalation & SoD BypassSAP Security Note 1852955
SAP Customer Relationship Management (CRM)Privilege Escalation & SoD BypassSAP Security Note 1905591
Supply Chain PlanningPrivilege Escalation & SoD BypassSAP Security Note 1910737
Production Planning and ControlPrivilege Escalation & SoD BypassSAP Security Note 1537089
Project-Oriented ProcurementRemote Arbitrary Program ExecutionSAP Security Note 1862392
SAP Customer Relationship Management (CRM)Privilege Escalation & SoD BypassSAP Security Note 1906568
All Industries - BASIS Communication ServicesRemote OS Command InjectionSAP Security Note 1674132
Banking - European Monetary UnionRemote Arbitrary Program ExecutionSAP Security Note 1856296
Enterprise Service Infrastructure - Web Service InfrastructurePrivilege Escalation & SoD BypassSAP Security Note 1776984
All Industries - SAPGUI Frontend ServicesRemote Arbitrary Program ExecutionSAP Security Note 1750997
SAP LiveCache ApplicationsPrivilege Escalation & SoD BypassSAP Security Note 1889999
Basis Components - Administration AssistantRemote OS Command InjectionSAP Security Note 1668224
Basis Components - Business ManagementPrivilege Escalation & SoD BypassSAP Security Note 1772498
Business Process LibraryRemote Arbitrary Program ExecutionSAP Security Note 1813734
SAP Customer Relationship Management (CRM)Privilege Escalation & SoD BypassSAP Security Note 1843169
Controlling - Product Cost PlanningPrivilege Escalation & SoD BypassSAP Security Note 1777228
Custom Development ManagementPrivilege Escalation & SoD BypassSAP Security Note 1771567
All Industries - Schedule ManagerPrivilege Escalation & SoD BypassSAP Security Note 1771204
SAP Basis ComponentsHardcoded PasswordSAP Security Note 1774903
Banking - European Monetary UnionRemote Arbitrary Program ExecutionSAP Security Note 1870485
SAP Quality InspectionPrivilege Escalation & SoD BypassSAP Security Note 1945300
SAP Production OrdersRemote Arbitrary Program ExecutionSAP Security Note 1907712