SAP Code Vulnerability Analyzer scan
We run an automated scan of custom ABAP code using the SAP Code Vulnerability Analyzer, configuring the analysis rules to fit the client's environment.
We scan custom ABAP code for vulnerabilities such as SQL injection, command injection, path traversal, hardcoded credentials and access control flaws. We support remediation of critical vulnerabilities ahead of a security audit or a conversion to SAP S/4HANA.
Vulnerabilities in custom code can become a genuine route of attack against an SAP environment. Identifying and remediating them closes attack vectors that platform hardening alone does not cover.
Clean code, aligned with the Clean Core approach, reduces the risk and cost of conversion. Problems in custom code are better found before an S/4HANA project than during it.
A report from the code review, with vulnerabilities classified by severity, can support an NIS2, DORA or ISO 27001 audit as evidence of control over the security of custom SAP code.
The report is not a raw list of findings. It contains a map of vulnerabilities prioritised as critical, important and low, together with a remediation recommendation.
We run an automated scan of custom ABAP code using the SAP Code Vulnerability Analyzer, configuring the analysis rules to fit the client's environment.
We complement the automated scan with an expert review of critical objects - especially where the logic of authorisations, interfaces, RFC integrations or custom business mechanisms requires judgement.
We describe every finding with a severity rating, potential impact and remediation priority. Results are presented in a format ready for both technical and business decision-making.
We prepare remediation recommendations with effort estimates, ordered by risk and by the relevant deadline: audit, S/4HANA conversion, release or another project milestone.
Optionally, the SNOK team can fix critical vulnerabilities or provide mentoring for the client's development team.
After fixes are implemented, we run a further scan and review to confirm that vulnerabilities have been effectively closed.
A code review begins by defining the scope: packages, objects, interfaces and business areas relevant to SAP security or a planned S/4HANA conversion.
We then run the SAP Code Vulnerability Analyzer scan and complement it with a manual expert review of high-risk areas.
The report contains a vulnerability classification, an impact description, a proof of concept for critical findings, and a prioritised remediation plan.
After fixes are implemented, we can carry out a retest to confirm remediation was effective. The whole engagement is consistent with SAP penetration testing methodology and external audit requirements.
Technology stack
Partnerships backed by our team's certifications. Full authorisation for delivery and support.
Bank in the financial sector
Custom ABAP code scanning and review ahead of a security audit, and remediation of critical vulnerabilities before go-live.
Industrial manufacturer
Custom code review ahead of a conversion to SAP S/4HANA, including a reduction of technical debt and vulnerabilities in the system core.
Critical infrastructure operator
A periodic ABAP code review as part of an NIS2 compliance programme.
Penetration testing examines a running system from the outside and inside. The SAP Code Vulnerability Analyzer analyses the ABAP source code for vulnerabilities. These are complementary approaches - together they give a fuller picture of SAP security.
We focus on custom code: Z* objects, extensions and modifications, since this is where organisation-introduced vulnerabilities most often arise. Standard SAP code is covered by the vendor's SAP Security Notes.
Conversion requires reviewing and adapting custom code. Detecting vulnerabilities and non-compliance with the Clean Core approach before conversion reduces the project's risk, cost and duration.
Yes, optionally. We can fix critical vulnerabilities or transfer the knowledge to the client's development team. After remediation, we carry out a retest confirming that the gaps have been closed.