Skip to content

SAP Code Vulnerability Analyzer and custom code review

We scan custom ABAP code for vulnerabilities such as SQL injection, command injection, path traversal, hardcoded credentials and access control flaws. We support remediation of critical vulnerabilities ahead of a security audit or a conversion to SAP S/4HANA.

What your organisation gains

A smaller attack surface

Vulnerabilities in custom code can become a genuine route of attack against an SAP environment. Identifying and remediating them closes attack vectors that platform hardening alone does not cover.

A smoother S/4HANA conversion

Clean code, aligned with the Clean Core approach, reduces the risk and cost of conversion. Problems in custom code are better found before an S/4HANA project than during it.

Evidence of due diligence

A report from the code review, with vulnerabilities classified by severity, can support an NIS2, DORA or ISO 27001 audit as evidence of control over the security of custom SAP code.

A concrete remediation plan

The report is not a raw list of findings. It contains a map of vulnerabilities prioritised as critical, important and low, together with a remediation recommendation.

What we deliver on this project

SAP Code Vulnerability Analyzer scan

We run an automated scan of custom ABAP code using the SAP Code Vulnerability Analyzer, configuring the analysis rules to fit the client's environment.

Manual custom code review

We complement the automated scan with an expert review of critical objects - especially where the logic of authorisations, interfaces, RFC integrations or custom business mechanisms requires judgement.

Vulnerability classification

We describe every finding with a severity rating, potential impact and remediation priority. Results are presented in a format ready for both technical and business decision-making.

Prioritised remediation plan

We prepare remediation recommendations with effort estimates, ordered by risk and by the relevant deadline: audit, S/4HANA conversion, release or another project milestone.

Remediation support

Optionally, the SNOK team can fix critical vulnerabilities or provide mentoring for the client's development team.

Retest after remediation

After fixes are implemented, we run a further scan and review to confirm that vulnerabilities have been effectively closed.

How we deliver projects in this area

A code review begins by defining the scope: packages, objects, interfaces and business areas relevant to SAP security or a planned S/4HANA conversion.

We then run the SAP Code Vulnerability Analyzer scan and complement it with a manual expert review of high-risk areas.

The report contains a vulnerability classification, an impact description, a proof of concept for critical findings, and a prioritised remediation plan.

After fixes are implemented, we can carry out a retest to confirm remediation was effective. The whole engagement is consistent with SAP penetration testing methodology and external audit requirements.

Technology stack

SAP Code Vulnerability Analyzer (CVA)SAP ATC (ABAP Test Cockpit)SAP NetWeaverSAP S/4HANAABAPABAP CloudOWASPSAP Security Baseline

Partnerships backed by our team's certifications. Full authorisation for delivery and support.

Where we have delivered similar solutions

Bank in the financial sector

Custom ABAP code scanning and review ahead of a security audit, and remediation of critical vulnerabilities before go-live.

Industrial manufacturer

Custom code review ahead of a conversion to SAP S/4HANA, including a reduction of technical debt and vulnerabilities in the system core.

Critical infrastructure operator

A periodic ABAP code review as part of an NIS2 compliance programme.

FAQ - SAP Code Vulnerability

How does CVA differ from an SAP penetration test? +

Penetration testing examines a running system from the outside and inside. The SAP Code Vulnerability Analyzer analyses the ABAP source code for vulnerabilities. These are complementary approaches - together they give a fuller picture of SAP security.

Does the review also cover standard SAP code? +

We focus on custom code: Z* objects, extensions and modifications, since this is where organisation-introduced vulnerabilities most often arise. Standard SAP code is covered by the vendor's SAP Security Notes.

How does the review support an S/4HANA conversion? +

Conversion requires reviewing and adapting custom code. Detecting vulnerabilities and non-compliance with the Clean Core approach before conversion reduces the project's risk, cost and duration.

Does SNOK fix the vulnerabilities found? +

Yes, optionally. We can fix critical vulnerabilities or transfer the knowledge to the client's development team. After remediation, we carry out a retest confirming that the gaps have been closed.

Get in touch