Skip to content

Safe Tuesday with SNOK: SAP penetration testing – the key to securing critical business infrastructure

In the era of digital transformation, SAP systems form the operational backbone of many enterprises worldwide. These advanced ERP (Enterprise Resource…

In the era of digital transformation, SAP systems form the operational backbone of many enterprises worldwide. These advanced ERP (Enterprise Resource Planning) platforms manage critical business processes, from finance to human resources, logistics and customer relationships. As SAP systems grow in complexity and integration, the attack surface for potential cyber threats grows with them.

At SNOK, as a certified SAP partner and cybersecurity expert, we continuously observe the evolution of threats targeting SAP systems. Our experience shows that traditional security measures are often insufficient against advanced, targeted attacks. This is why penetration testing has become a key tool in the arsenal of defence against cybercriminals.

Anatomy of an SAP system

Before delving into the specifics of penetration testing itself, it is worth understanding the structure of a typical SAP environment:

  1. Presentation layer: The user interface, most commonly SAP GUI or a web-based solution such as SAP Fiori.

  2. Application layer: SAP application servers, processing business logic.

  3. Database layer: Stores system and business data.

  4. Integration layer: Interfaces and protocols enabling communication with external systems.

Each of these layers may contain potential security vulnerabilities that comprehensive penetration tests must take into account.

Key areas of SAP penetration testing

  1. Network security
  • Analysis of network segmentation and firewall configuration

  • Testing the security of SAP-specific network protocols (e.g. RFC)

  • Verification of encryption for communication between system components

  1. Application security
  • Audit of the SAP NetWeaver application server configuration

  • Testing for code injection vulnerabilities (e.g. SQL injection in ABAP reports)

  • Verification of access control mechanisms and segregation of duties

  1. Database security
  • Analysis of database security configuration (e.g. SAP HANA)

  • Data integrity and confidentiality testing

  • Verification of backup and data recovery procedures

  1. Access and authorisation management
  • Audit of password policies and authentication mechanisms

  • Testing for segregation of duties (SoD) violations and excessive privileges

  • Analysis of identity and access management (IAM) processes

  1. Interface security
  • Security testing of RFC, IDoc and web interfaces

  • Verification of authorisation mechanisms for integration with external systems

  • Analysis of vulnerabilities in custom extensions and interfaces

  1. System configuration
  • Audit of operating system-level security settings

  • Verification of the configuration of SAP components (e.g. SAP Router, SAP Web Dispatcher)

  • Analysis of compliance with SAP Security Baseline best practices

SAP penetration testing methodology

At SNOK, we apply a rigorous, multi-stage penetration testing methodology tailored to the specifics of SAP systems:

  1. Reconnaissance and information gathering
  • Identification of SAP system components and their versions

  • Analysis of available interfaces and services

  • Mapping of the system architecture and the relationships between components

  1. Scanning and enumeration
  • Use of specialist tools for scanning SAP vulnerabilities

  • Identification of weak points in configuration and security settings

  • Analysis of open ports and SAP-specific services

  1. Vulnerability analysis
  • Assessment of identified vulnerabilities in terms of their criticality and potential business impact

  • Verification of vulnerabilities in the context of the specific SAP environment

  • Prioritisation of threats using the DREAD model

  1. Exploitation
  • Execution of controlled attacks on identified vulnerabilities

  • Simulation of various attack vectors, including social engineering attacks

  • Privilege escalation and attempts to gain access to critical data

  1. Post-exploitation
  • Analysis of the possibility of maintaining persistent access to the system

  • Assessment of the potential impact of a successful attack on business continuity

  • Identification of connected systems and the potential for the attack to spread

  1. Reporting and recommendations
  • Preparation of a detailed technical report

  • Development of a business-friendly executive summary

  • Presentation of specific remedial recommendations with prioritised actions

  1. Verification and retesting
  • Support during the process of remediating identified vulnerabilities

  • Conducting retests to confirm the effectiveness of the implemented fixes

Black Box vs. White Box testing

At SNOK, we carry out both black box and white box testing, depending on the needs and specifics of the client organisation:

  • Black Box Testing: Simulates an attack by an external adversary with no prior knowledge of the system. Allows an assessment of the organisation’s vulnerability to external attacks.

  • White Box Testing: Draws on full knowledge of the system’s architecture and configuration. Enables deeper analysis and the identification of more subtle security vulnerabilities.

We frequently apply a hybrid approach, combining elements of both methods to achieve the most comprehensive results. We refer to such tests as Grey-Box testing.

Most commonly detected vulnerabilities in SAP systems

Based on our many years of experience, we have identified several areas that are frequently a source of vulnerabilities in SAP systems:

  1. Incorrect configuration of user permissions and roles

  2. Unpatched system components and missing security fixes

  3. Weak security of RFC and web interfaces

  4. Insufficient encryption of sensitive data in transit and at rest

  5. Vulnerabilities in custom ABAP code, particularly in reports and forms

  6. Incorrect configuration of SAP Router and SAP Web Dispatcher

  7. Absent or insufficient security monitoring and event logging

Challenges in testing SAP systems

Penetration testing of SAP systems involves a number of unique challenges:

  1. Environment complexity: SAP systems are highly integrated and often heavily customised to an organisation’s needs.

  2. Risk of disruption: Testing must be conducted with the utmost care so as not to disrupt critical business processes.

  3. Specialist expertise: Effective testing requires deep knowledge of SAP architecture and its specifics.

  4. Pace of change: Frequent updates and patches require the testing methodology to be continuously updated.

  5. Regulatory compliance: Testing must take into account industry and legal requirements (e.g. GDPR, SOX).

Benefits of conducting SAP penetration testing

  1. Identification of real threats: Detection of security vulnerabilities that could be exploited by attackers.

  2. Assessment of the effectiveness of existing safeguards: Verification that implemented security mechanisms function as intended.

  3. Regulatory compliance: Support in meeting legal requirements and industry standards.

  4. Prioritisation of remedial actions: Enabling resources to be focused on the most critical threats.

  5. Raising security awareness: Demonstrating the real business impact of potential attacks.

  6. Optimisation of security investment: Identification of areas requiring additional safeguards.

When to conduct SAP penetration testing

Regular penetration testing should be an integral part of the security strategy of any organisation using SAP systems. It is particularly important in the following situations:

  1. After the implementation of new modules or significant configuration changes

  2. Before and after conversion to SAP S/4HANA

  3. Following mergers and acquisitions, when different SAP environments are being integrated

  4. As part of preparations for compliance audits (e.g. SOX, PCI DSS)

  5. After a security incident has been detected or a breach is suspected

  6. As part of a cyclical risk management process (e.g. annually)

Case study: Detection of a critical vulnerability in a custom SAP module

As part of a recent project for a client in the manufacturing sector, our team identified a critical security vulnerability in a custom SAP module responsible for managing product recipes. The vulnerability allowed unauthorised users to modify product composition, which could have had serious consequences for product quality and safety.

The detection process involved:

  1. Analysis of the module’s source code using static ABAP code analysis tools

  2. Dynamic tests simulating various usage scenarios

  3. A proof-of-concept exploit demonstrating the possibility of unauthorised modification of recipes

Thanks to rapid identification and remediation of the vulnerability, the client avoided potential financial and reputational losses. This case study underscores the importance of regular, comprehensive penetration testing, particularly in the context of custom SAP solutions.

The future of SAP penetration testing

As SAP technology evolves and the threat landscape changes, penetration testing methodologies must adapt accordingly. At SNOK, we actively track and implement innovations in this field:

  1. Automation and AI: Using artificial intelligence to analyse attack patterns and automate parts of the testing process.

  2. Continuous Penetration Testing: Implementing continuous, automated security testing integrated into the software development lifecycle (DevSecOps).

  3. Cloud Security: Extending testing methodologies to address the specifics of cloud environments, including SAP BTP.

  4. IoT and embedded systems: Accounting for the growing integration of SAP systems with IoT devices and industrial systems in testing.

  5. Blockchain in SAP: Developing methods for testing blockchain technology implementations in SAP solutions.

SNOK’s role in SAP penetration testing

SNOK, as a leading SAP partner in the field of cybersecurity, plays a key role in shaping penetration testing standards for SAP systems. Our many years of experience in implementing and securing SAP environments, combined with advanced cybersecurity expertise, allow us to offer a unique approach to penetration testing. The SNOK team comprises certified SAP consultants and experienced penetration testers, guaranteeing a holistic view of SAP system security. We have developed our own testing methodology that takes into account the specifics of SAP architecture, custom extensions and integrations with external systems. Our approach is not limited to detecting vulnerabilities alone - we offer comprehensive support in eliminating them and in building a long-term security strategy. SNOK actively participates in the SAP Security community, sharing knowledge at industry conferences and contributing to the development of open-source tools for SAP security.

Expert commentary - Patryk Budkowski, Cybersecurity Specialist at SNOK

“SAP penetration testing is not a luxury, but a necessity in today’s cyber threat landscape,” emphasises Patryk Budkowski, Chief Cybersecurity Specialist at SNOK. “In my practice, I have repeatedly encountered situations where seemingly well-secured SAP systems proved vulnerable to advanced attacks. It is crucial to understand that traditional security measures are often insufficient against evolving attack techniques. Penetration testing allows us to look at the system through the eyes of a potential attacker, uncovering vulnerabilities that might otherwise go unnoticed during standard audits. Moreover, professionally conducted testing not only identifies problems but also provides concrete, practical recommendations for resolving them. At SNOK, we place great emphasis on client education - for us, every test is an opportunity to raise security awareness within the organisation. We should remember that in cybersecurity there is no room for compromise - a single overlooked vulnerability can cost a company millions and damage its reputation for years.”

Summary

Penetration testing of SAP systems is a key element in ensuring the security of critical business infrastructure. Given the growing number and complexity of cyberattacks, organisations cannot afford to neglect this area.

At SNOK, we combine deep knowledge of SAP systems with expert knowledge of the latest penetration testing techniques. Our comprehensive approach, encompassing both black box and white box testing, enables the effective identification and prioritisation of security risks.

We should remember that security is a process, not a product. Regular, professionally conducted penetration testing is essential for any organisation using SAP systems, particularly in the face of constantly evolving cyber threats. It enables not only the identification of potential vulnerabilities, but also continuous improvement of the level of security and compliance with regulatory requirements.

We invite you to contact our experts to find out how we can help secure your SAP environment through comprehensive penetration testing. Together, we can build a robust defence strategy against cyber threats, protecting your critical business systems and data from attack.

Get in touch