SAP SECURITY TESTS
SAP securityunderstood,not just certified.
SAP is its own world. We test SAP systems with specialists who know the difference between NetWeaver ABAP, NetWeaver Java and S/4HANA and who use the DSAG audit guides as a working basis, not as decoration.
01 · PLATFORM
SAP*, DDIC, Gateway, RFC, Message Server.
We review the well-known default users SAP*, DDIC, SAPCPIC and EARLYWATCH for password hygiene and lock status. Gateway and Message Server are checked for missing reg_info, sec_info and ms/acl_info configurations. RFC destinations are analysed for stored credentials, trusted relationships and privilege gradients between systems.
02 · AUTHORISATIONS
SAP_ALL, S_DEVELOP, critical transactions.
SAP_ALL is rare, SAP_ALL-equivalent is common. We analyse roles and profiles for critical single authorisation objects such as S_DEVELOP, S_TABU_DIS, S_RFC, S_USER_GRP and the dangerous combinations that do not stand out in SU24. We also check segregation of duties against DSAG and ISACA catalogues and assess the transport system for four-eyes bypasses.
03 · EXPOSURE
Solution Manager, Fiori, Web Dispatcher.
We see SAP components at the perimeter more and more often: Fiori launchpads, Web Dispatcher, Solution Manager, SAProuter. We check these against current SAP security notes, known CVEs such as 10KBLAZE and RECON, the separation of production and development systems and the question whether a given SAP system really needs to be reachable from the internet at all.
READY
SAP security that doesn't end at user maintenance.
We deliver a report that both SAP Basis and internal audit can understand. Optionally we accompany remediation through to a retest.