Fortifying the Fortress: Do’s and Don’ts of Strengthening SAP Cybersecurity

Cybersecurity is more crucial than ever, especially for enterprise applications running the SAP platform. Why put a spotlight on SAP platforms? Because SAP platforms are used by 99 of the Fortune 100 companies and have more than 280 million cloud subscribers worldwide. Many companies run SAP ERP, SAP SRM, and SAP HCM environments while simultaneously moving SAP implementations to the cloud. Due to the massive scaling of SAP systems, organizations are losing track of their vulnerability as hyperscalers, SaaS models, on-prem, and cloud-based systems continue to expand the attack surface.

To help IT departments understand the ever-increasing, porous nature of their vital business systems, the National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF), a set of guidelines and best practices for improving cybersecurity. The NIST CSF is a generic framework that offers ­five core functions for effectively managing cybersecurity risks:

  1. Identify an organization’s cybersecurity risks and inventory the systems, assets, data, and capabilities that need protection. This helps an organization understand the potential impact points of a cyberattack.
  2. Implement safeguards and controls to ensure that critical systems and data are secure. Safeguarding includes protecting against unauthorized access, implementing security controls, and promoting cybersecurity awareness and training.
  3. Implement processes and tools to detect cybersecurity events and security-critical activities. The method includes identifying unusual activity, continuous monitoring, and implementing incident detection and response capabilities.
  4. Develop and implement an incident response plan to manage cybersecurity events. this plan needs to include procedures for responding to incidents, defi­ning roles and responsibilities, and communicating with stakeholders.
  5. Establish processes and procedures within the recovery function to restore systems and data after a cybersecurity event. The recovery process includes developing and testing a disaster recovery plan, analyzing lessons learned from incidents, and taking steps to improve resilience.

However, NIST is only a framework or guideline to help IT personnel better understand cybersecurity risks. The devil is truly in the details regarding cybersecurity protection for vital systems such as SAP. Many organizations do not realize native SAP security (out-of-the-box) cannot offer the in-depth protection needed to thwart hacking attempts.

Realize What You Don’t Know

Although the servers, security logs, and system communications help secure data, it’s still vital to monitor and track every movement within SAP systems, and as previously mentioned, out-of-the-box SAP tools do not allow for efficient monitoring. SAP systems can only be protected against the threat of cyberattacks if all attack vectors have been hardened; the native SAP Solution Manager and the integrated confi­guration validation tools are only a starting point. Users need to be aware that SAP vulnerability management cannot easily be achieved using the native SAP Solution Manager because of these reasons:

  • It’s not intuitive and easy to implement.
  • Functions are only available after an extensive implementation with additional maintenance


  • The false positives are typically too high, causing users to distrust the SAP Solution Manager results and ignore the time-consuming checks necessary to validate or disprove noti­fications.

The Attack Most Don’t See Coming

The SAP information disclosure vulnerability is an often overlooked cybersecurity gap. An SAP information disclosure vulnerability is a security flaw that enables unauthorized users to access sensitive data in SAP systems. This can include private or fi­nancial information, proprietary information, or other confi­dential data.

Weak access controls, unpatched software, or other confi­guration issues that permit unauthorized access to sensitive data are just a few examples of the many causes of information disclosure vulnerabilities.

These flaws can pose a serious risk to businesses that depend on SAP systems to store and manage sensitive data. So, it’s crucial to regularly check and fi­x any potential issues to keep the system secure.

How does the exploitation of SAP information disclosure vulnerabilities work? Attackers can exploit information disclosure vulnerabilities in diverse ways, depending on the specific weakness in the SAP system. One standard method attackers use to manipulate SAP information disclosure vulnerabilities is to probe the system for faults. This can involve scanning the network for open ports or services, looking for default passwords or other con­figuration issues, or attempting to exploit known vulnerabilities in the software.

Once the attacker has identifi­ed a vulnerability that allows them to access sensitive data, they can use this information to carry out other attacks. For example, they may use the stolen data to launch a spear-phishing attack or gain access to other connected systems to the SAP system.

An example of an information disclosure vulnerability in SAP can be caused by a confi­guration issue that allows an unauthorized user to enter the SAP system and access sensitive data stored in the system.

For instance, a threat actor can access sensitive data without proper authorization if you don’t correctly confi­gure an SAP system.

This could occur if you don’t set up the access control lists in the system correctly or if there is a flaw in the software program code that allows an attacker to bypass these controls. Internet communication services residing in the public namespace intentionally do not require authentication. Attackers know this and often acquire system information during the exploration phase.

Stopping Disclosure Vulnerabilities—A Multi-Layered Approach

Preventing information disclosure vulnerabilities in SAP systems requires a multi-layered approach involving a combination of technical controls, policies and procedures, and user awareness. The flaw occurs in the SAP native product and requires precise patching, but it is also in the customer-owned program code that needs to be scanned and corrected. Additionally, an incorrect configuration can cause an information disclosure vulnerability.

Security platforms are available that offer solutions to help organizations improve the security of their SAP systems. These cybersecurity solutions provide these types of advanced features:

  • Vulnerability Management—As the name implies, this feature scans SAP applications and databases for vulnerabilities and provides detailed information on how to fi­x the issues uncovered. This helps organizations identify and address potential security weaknesses before attackers exploit them.
  • Real-Time -Threat Detection—Real-time threat detection surveys all SAP application log sources for suspicious activity and alerts security teams—in real time—to potential incidents. These real-time alerts help organizations quickly identify and respond to potential security threats before they can cause damage. They also assist organizations in complying with KRITIS, GDPR, SOX, and PCI DSS regulations.


As the adoption of SAP continues to rise globally, so does the risk of hackers penetrating valuable data. Although beneficial from a super­ficial layer, standard cybersecurity practices lack the specific insights into the inner workings of SAP systems to reduce attack vectors and sufficiently harden the system.

IT personnel must approach SAP security more thoughtfully and avoid reliance on out-of-the-box cybersecurity remedies as their primary frontline defense. The best protection against hackers is a well-orchestrated offense. Identifying and blocking SAP attacks at their onset can only be accomplished by leveraging real-time—and trusted—alerts from platforms intricately designed as a companion to the main application.

Remember, security measures in native applications often only cover the basics, and today’s well-funded and organized hackers are far from basic.