Administration

SAP Cybersecurity Q&A with Authors Gaurav Singh and Juan Perez-Etchegoyen

Authors Gaurav Singh and Juan Perez-Etchegoyen recently took part in the SAP PRESS Book Club webinar series, where they answered reader questions about cybersecurity for SAP over the course of an hour. There were so many questions submitted that we couldn't to get to them all.

 

 

The authors were able to answer the remainder of the questions in this blog post. Read on to learn more!

 

Q: Who is the book written for?

A: Our book Cybersecurity for SAP is written for a broad range of professionals. It aims to provide information suitable for individuals coming from either the SAP applications world or the IT security world.

 

Specifically, the intended readers include:

  • SAP professionals who want to transition into the field of cybersecurity
  • Basis administrators
  • SAP security consultants aiming to strengthen their skills and understanding of SAP cybersecurity issues
  • SAP developers who work with SAP applications but lack a security background
  • IT security professionals who have cybersecurity skills but want to understand SAP applications such as penetration testers or SOC analysts

The book recognizes that securing SAP applications requires a mix of multiple skills formed by combining IT security and SAP technology. It seeks to bridge the gap between the cybersecurity world and the SAP world and empower both InfoSec/cybersecurity teams and SAP teams with the necessary mindset, tools, and understanding.

 

For those already in SAP fields (like SAP security/GRC and Basis), the book offers a significant career growth opportunity to extend their skillset into an area with unmet demand and growth potential.

 

Q: What are a few key points that you cover in your book?

A: Below are some examples of a few key points from the book.

 

The book introduces basic cybersecurity concepts and principles regarding SAP applications. This includes foundational ideas like the CIA Triad (Confidentiality, Integrity, and Availability) and the IAAA concepts (Identification, Authentication, Authorization, and Accountability). It also lays the groundwork by explaining vulnerabilities, threats, and risks specifically in the context of SAP.

 

It highlights nontraditional SAP security domains which are at the heart of the book. While traditional SAP security focuses on areas like authentication, roles, and governance, risk, and compliance (GRC), the book delves into areas often ignored in traditional SAP security, such as vulnerability management, threat management, incident response, logging and monitoring, and secure development.

 

The book provides a comprehensive look at vulnerabilities and patches in the SAP landscape. It explains SAP Security Notes, including notable types like SAP HotNews Notes and SAP Security Notes, and breaks down the anatomy of an SAP Note, detailing its structure, attributes, and contents, such as CVEs, CVSS scores, affected components, correction instructions, and support packages.

 

It covers threat detection and incident response tailored for SAP applications. The book discusses understanding threats, threat actors (including motivations like financial gain), and the components of effective threat management. It also delves into incident response as a specialized practice for handling security breaches in SAP and highlights the importance of logging and monitoring, including the security audit log.

 

Q: How does the book guide developers in proactively hardening custom ABAP code—specifically regarding data validation, authorization checks, and secure coding practices within dynamic forms and enhancements?

A: The book guides developers in hardening custom ABAP code by discussing secure development as a key component of nontraditional SAP security, linked to vulnerability management. Through the book we touch on different risks such as data validation, where we note that lack of proper input validation can lead to critical injection flaws like SQL injection and cross-site scripting.

 

Throughout the book, we recommend different security controls (for example, regarding authorization checks). The book emphasizes that application-layer controls, including role-based access control, least privilege, and segregation of duties, are critical for restricting user access to functionality and data, principles that should be applied to custom code.

 

Q: Why do you need cybersecurity in an SAP system? Almost every important SAP system uses VPNs.

A: This is a good question. While VPNs are a component of network security, which is an important layer in securing the SAP landscape, they are not sufficient on their own. I (Juan) addressed this topic a few years ago here: 8 Reasons Perimeter Security Alone Won't Protect Your Crown Jewels. All of the points are still completely relevant in 2025. Despite that, in today’s modern SAP landscapes, organizations typically have all sorts of environments (on-premise, cloud SaaS, cloud IaaS, and cloud PaaS). All of them are completely interconnected and many of their parts are internet facing, further extending the attack surface.

 

Q: What are the key targets for SAP hackers? Is it the database, operating system, or core SAP application?

A: For the most part, we have seen attackers targeting the application layer more than other layers. While the database and the underlying operating system that support SAP applications are also targets, they are often compromised as a means to an end: gaining access to or control over the SAP application and its sensitive data. Attacks exploiting vulnerabilities in the SAP application or OS can lead to compromising database access credentials or bypassing database access controls.

 

Therefore, attackers target vulnerabilities across the entire SAP stack, including the application, OS, and database, ultimately seeking to exploit the critical business data and processes within the SAP application.

 

Q: Are there any known hacks of an SAP system?

A: Below are some examples of well-known attacks and attack types targeting SAP applications:

  • Compromises via Exploiting SAP Vulnerabilities: Historical compromises such as those by the hacking collective Anonymous (#OpGreece) and in the US Information Service (USIS) breach were confirmed to begin through the exploitation of SAP vulnerabilities, including the invoker servlet vulnerability (CVE-2010-5326). The financially motivated group Elephant Beetle also leveraged the invoker servlet vulnerability.
  • Malware Involving SAP Applications: Different variations of malware have evolved to understand SAP applications, such as Trojan.Ibank, Dridex, and BlackCat ransomware, searching for specific SAP processes and services to capture information or make encryption more effective. Linux-specific malware has been deployed in SAP applications by abusing well-known SAP vulnerabilities to execute OS commands.
  • 10KBLAZE Exploits: These exploits target configuration issues in the message server and SAP Gateway components, which can lead to a potential full compromise of an unsecured SAP application by allowing an attacker to register a fake application server and execute external programs.
  • RECON Vulnerability: Exploiting CVE-2020-6287 allowed for unauthenticated creation of an administrator user on affected SAP systems, leading to complete compromise.
  • ICMAD Vulnerabilities: These critical vulnerabilities, including CVE-2022-22536, affect the Internet Communication Manager (ICM) and can be exploited without user authentication via HTTP over the internet, potentially leading to full compromise of the SAP application.
  • CVE-2025-31324: Between March and May of 2025, threat actors exploited a zero day vulnerability to compromise hundreds of organizations. This campaign is still ongoing….

Q: Does SAP provide any tools to identify SAP cybersecurity vulnerabilities?

A: SAP provides some tools that could help to identify vulnerabilities; more specifically, you have system recommendations in SAP Solution Manager, which can provide some level of visibility into certain security vulnerabilities, but that has many technical limitations too.

 

Q: What are the key cybersecurity measures which organizations should look at, and what are some low-hanging threats that can be handled easily without much investment?

A: It is all about the processes. It is important to integrate SAP applications into processes that most likely already exist in your organization, such as vulnerability management, threat management, incident response, or secure development lifecycle. In order to manage that integration, you might need specialized knowledge and solutions to help. Despite that, there are certain low-hanging fruit that could be addressed as a starting point. This article might help navigating that initial phase.

 

sap_security_infographic

Want to save this infographic? Click here to download!

 

This post was originally published 5/2025.

Recommendation

Cybersecurity for SAP
Cybersecurity for SAP

Protect your SAP system from bad actors! Start by getting a thorough grounding in the why and what of cybersecurity before diving into the how. Create your security roadmap using tools like SAP’s secure operations map and the NIST Cybersecurity Framework (CSF). Then walk through key cybersecurity processes: vulnerability management, threat detection, incident response, disaster recovery, and more. With step-by-step instructions for implementing infrastructure and network security and using tools like SAP Trust Center, this guide will help you safeguard your system!

Learn More
Gaurav Singh and Juan Perez-Etchegoyen
by Gaurav Singh and Juan Perez-Etchegoyen

Gaurav Singh is an SAP cybersecurity manager at Under Armour with more than 19 years of experience and a proven track record of helping organizations protect themselves from cyber threats while maximizing their SAP investments. Juan Perez-Etchegoyen is the chief technology officer at Onapsis. With more than 20 years of experience in the IT security field, JP is a leading expert in business-critical application security, specializing in safeguarding ERP landscapes.

Comments

The official SAP PRESS Blog

As the world’s leading SAP publisher, SAP PRESS’ goal is to create resources that will help you accelerate your SAP journey. The SAP PRESS Blog is designed to provide helpful, actionable information on a variety of SAP topics, from SAP ERP to SAP S/4HANA. Explore ABAP, FICO, SAP HANA, and more!

© 2025 Rheinwerk Publishing, Inc. | Change Privacy Options