SAP Security Testing

sap

SAP Security is a highly complex framework for Enterprise Resource Planning (ERP). As one of the world’s largest and most commonly deployed ERP systems, SAP has undergone considerable transformation over time to become a core part of many businesses’ operations. Securing SAP requires more than a review of roles and profiles, it’s a complex exercise that calls for real experts with in-depth knowledge.

Mandalorian consultants have been conducting SAP Security Testing since R/3 was still current. We’ve watched SAP grow through ITS and NetWeaver into the modern platform it is today. Our consultants have extensive experience in SAP ABAP/4 and Java security, and are skilled in attacking across dialog, CPIC, and SAP’s various web interfaces.

The Mandalorian Approach

Following an initial scoping meeting or call, we provide a fully scoped quote for your SAP Security Test. Depending on the maturity of your SAP solution this may take longer than scoping a normal penetration test, as considerable landscape detail is needed to scope accurately, and SAP deployments tend to have a large amount of stakeholder engagement that can sometimes (rightly) slow the process down.

Our consultants perform the work in accordance with the agreed scope. Once the test is complete, consultants produce a report with a high level executive summary, detailed technical section and appendices for any relevant observations requiring further detail.

Typical Findings

While each SAP Security Test is different, some common findings often identified include:

  • Default accounts across clients
  • Insecure RFCs with weak authorizations
  • Portal access control weaknesses
  • Remote command execution
  • SAPGUI Debug support enabled in production
  • Insecure ABAP/Java calls in custom code
  • Insufficient authorizations
  • Privilege escalation vulnerabilities
  • Weak infrastructure controls
  • Transport integrity weaknesses

Why Choose Mandalorian?

Most dedicated SAP security practices have a solid understanding of SAP roles, profiles and authorizations. Mandalorian’s experiences include coverage of core operating system, database and supporting SAP infrastructure internals to complement the above. This means that with Mandalorian’s SAP Security Test you get the full picture, not just the SAP specifics. Our commitment to incredible support means that we’ll help you through the test all the way, from helping with concerns around scoping through to engaging with stakeholders to assist in triage.

Next Steps

Call us now on 01256 830 146 or give us a few details about when your next health check is due and how we can help and we’ll get back to you asap.