Layer Seven Security

Penetration Testing for SAP RISE / SAP Cloud ERP

Layer Seven on October 29, 2025

As enterprises increasingly migrate to S/4HANA Cloud platforms as part of SAP RISE/ Cloud ERP transformations, the need to secure these mission-critical environments has never been greater. SAP cloud solutions manage essential financial, operational, and human resource data, forming the digital backbone of organizations. While SAP provides a robust infrastructure with built-in security controls, customers are responsible for securing their own configurations, integrations, and extensions as part of a shared model of responsibility for security. Penetration testing is therefore a critical step in validating the effectiveness of these security measures.

Cloud ERP systems expand the traditional attack surface by integrating with third-party applications, partners and APIs. Even a single insecure interface or misconfigured role can allow unauthorized access to sensitive data or processes. Penetration testing provides a proactive mechanism to identify such weaknesses before they are exploited. It helps to verify cloud configurations meet security best practices, network segmentation is properly enforced, and custom developments or business add-ons do not introduce vulnerabilities.

Regular penetration testing validates that monitoring and alerting tools are capable of detecting and containing cyber threats. For organizations subject to compliance frameworks such as SOX, GDPR, or ISO 27001, penetration testing also provides essential evidence of due diligence.

A typical penetration test for SAP RISE / Cloud ERP follows a structured methodology:

Planning and Scoping
The testing team works with business and IT stakeholders to define the scope including systems, integrations, network zones, and user roles. This stage also includes obtaining formal approval from SAP ECS (Enterprise Cloud Services) to perform testing in RISE environments.

Coordination with SAP ECS
Although penetration tests are performed by external security service providers, they must be closely coordinated with SAP ECS. Because SAP RISE / Cloud ERP environments are managed by SAP ECS, customers cannot conduct testing independently. Instead, a Penetration Test Request must be submitted through the SAP support portal under component BC-OP-RC-ECS, typically at least six weeks in advance. The request must specify:

  • The purpose and objectives of the test
  • The systems or tenants involved
  • The testing provider (internal or external)
  • Expected timeline and test methods

SAP ECS reviews the request to ensure that testing will not affect shared infrastructure or violate service-level agreements. Once approved, SAP coordinates scheduling, network access, and monitoring to support the testing.

Rules of Engagement for SAP RISE
SAP enforces specific Rules of Engagement (RoE) for all penetration tests in RISE / Cloud ERP environments. Key requirements include:

  • Testing for only customer managed layers. This includes application configuration, extensions, and custom code. Direct testing of the SAP-managed infrastructure or platform components is not permitted.
  • Testing must be non-disruptive and conducted within agreed maintenance windows. Denial-of-service (DoS) or destructive payloads are prohibited.
  • All vulnerabilities discovered must be reported confidentially to SAP ECS, following SAP’s responsible disclosure process.
  • External testers must sign SAP’s Non-Disclosure and Penetration Test Agreement before gaining access.

Assessment and Exploitation
Authorized testers use both automated tools and manual techniques to identify vulnerabilities in application configurations, user privileges, and exposed interfaces. This may include attempts to escalate privileges, bypass access controls, or extract sensitive data within approved boundaries.

Reporting and Remediation
The final report details vulnerabilities, their risk levels, and recommended mitigation steps. SAP ECS may review findings that affect managed components, while customer teams focus on remediating application-layer issues.

Penetration testing is an indispensable component for ensuring the resilience of SAP systems and components in RISE / Cloud ERP environments. By simulating attack scenarios, it provides tangible assurance that security controls are effective and vulnerabilities are promptly addressed. When performed in coordination with SAP ECS under formal rules of engagement, penetration testing not only strengthens the customer’s security posture but also reinforces the shared-responsibility model that underscores SAP’s cloud ecosystem. Regular, well-governed testing ensures that organizations maintain the confidentiality, integrity, and availability of their most critical SAP resources in the cloud.

Layer Seven Security is an approved SAP Services Partner. We offer a range of services and solutions to help secure SAP solutions in RISE/ Cloud ERP. This includes Penetration Testing for SAP and automated audits to identify compliance gaps against mandatory security and hardening requirements for SAP RISE/ Cloud ERP solutions defined by SAP ECS.

Securing the SAP Cloud Connector

Layer Seven on February 26, 2025

The SAP Cloud Connector is an agent that links SAP BTP applications with on-premise SAP systems. As a reverse proxy, it enables internal systems to connect securely with BTP services without exposing the systems to direct external access. Permitted connections between BTP resources and backend systems can be maintained directly in the Cloud Connector rather than network firewalls. The Cloud Connector supports HTTP and RFC connections between BTP and SAP systems, as well as direct database connections.

The Connector links directly to external services. Therefore, it should be positioned in a DMZ and segmented from internal SAP systems. Since the DMZ is a separate physical or logical network, segmentation would protect internal SAP systems in the event of a compromise in the Cloud Connector.  Systems in SAP landscapes should be configured to accept requests only from trusted Connectors. A failover instance of the Connector is recommended for high availability. This is known as a Shadow Connection, maintained in the High Availability section of the Connector UI.

The Connector should be installed in a dedicated server that does not share resources with other services, especially application services. Access to the Cloud Connector at the OS level should be restricted and OS auditing should be enabled to monitor file operations for the Connector. This includes the Secure Storage in the File System (SSFS) that stores encryption keys and other sensitive data for the Connector. It is also recommended to enable hard-drive encryption for the server hosting the Connector. This will safeguard sensitive configuration data against the unauthorized access and changes. Separate Cloud Connector instances are recommended for connecting to productive and non-productive subaccounts in BTP.

The Connector uses file-based authentication which cannot support multiple users. It is delivered with a single Administrator user that has full administrative rights for the Connector. LDAP-based user authentication should be configured to support multiple users and avoid the use of the Administrator user as a shared account. This would also support traceability for user actions and more granular access control by allowing the use of display and monitoring roles that do not include administrative privileges.

The Administrator user is shipped with a well-known default password. The password is stored as a hash in the file system. Although the Connector prompts users to change the password during installation, it is critical to monitor changes to the Administrator account to ensure that the password does not revert back to the default. This could lead to the compromise of the Administrator account and therefore the Cloud Connector.

Connections from SAP BTP to the Cloud Connector are SSL-encrypted. Currently, supported protocols are HTTP, HTTPS, RFC, RFC with SNC, LDAP, LDAPS, TCP, and TCP over TLS. Connections from the Connector to backend systems should be authenticated and encrypted. Therefore, HTTPS and RFC SNC are recommended over HTTP and RFC. Permissions for technical users should granted based on the principle of least privilege and should not include full administrative rights. Whitelisting is also recommended to restrict access to only the required BTP applications for each subaccount and resources in backend systems.

The self-signed X.509 certificate used for the Connector UI should be replaced by a certificate issued by a certificate authority. Supported TLS ciphers for UI certificates should be SHA256 or greater bit length. Support for less secure ciphers should be disabled in the configuration of the Connector.

The audit log level should be set to SECURITY (default) or ALL. It should not be set to OFF. The value SECURITY will lead the Connector to log blocked requests and configuration changes. The value ALL will enable the Connector to log all requests including successful connections. Logs are stored in the file system. A separate file is created for each day. Deletion of older log files can be enabled using the setting Automatic Cleanup setting in the Audits section of the Administration UI. The Cloud Connector includes a script to verify the integrity of the audit logs and protect against log tampering. The location of the log files can be modified from the default directory, although the performance of the Connector may be impacted if you change the location from the host for the Connector to another server in the network.

HTTP and RFC traces enabled through the Connector may disclose sensitive information such as passwords and credit card data to Administrators. This can be mitigated by requiring two separate users to activate a trace.  The file writeHexDump must be created in the scc_config directory for Connectors installed in Linux hosts. The owner of the file must be different than the OS user for Connector processes and not a member of the OS user group sccgroup. The owner of the file will be required to change the file content from allowed=false to allowed=true before an administrator can activate a trace.

Each version of the Cloud Connector is supported by SAP for only 12 months. Therefore, the Connector should be upgraded regularly. It should also be upgraded regularly in response to security notes for the Connector released by SAP. This includes Hot News note 2696233 that deals with multiple critical vulnerabilities in the Cloud Connector. Version 2.11.3 or higher is required to address the vulnerabilities in the note.

The SAP Cloud Connector is an important interface between SAP cloud services and on-premise systems in today’s hybrid SAP landscapes. As an external-facing agent with access to business-critical internal SAP systems, securing the Connector is essential to protect SAP solutions from targeted attacks. The Cybersecurity Extension for SAP automatically scans and detects security misconfigurations and user-related issues in the SAP Cloud Connector that may expose the Connector to such attacks. It also monitors the patch level to ensure the Connector stays updated to the recommended version in response to security vulnerabilities. Finally, the Cybersecurity Extension for SAP monitors the audit log for the Cloud Connector to automatically alert for security incidents. This includes configuration changes, changes to the Administrator account including passwords, changes to connected BTP subaccounts and backend systems, the activation of traces, settings for logging and auditing, role changes, certificates, LDAP, SNC, and many other areas.

Security Logging and Alerting for SAP BTP

Layer Seven on September 24, 2024

SAP BTP is a cloud platform that is intended to decouple SAP customizations required by customers from underlying SAP solutions. As part of SAP’s drive for a clean core and to promote a modular architecture, BTP enables organizations to enhance and extend the capabilities of their SAP solutions by deploying custom code, integrations and other enhancements to a separate platform, without modifying standard SAP solutions. This is intended to realize more flexibility, easier scalability, faster upgrades, improved security, and, crucially, lower maintenance. Lower maintenance costs are especially important for SAP in the context of SAP RISE. Heavily customized environments increase the burden on SAP managed services for RISE customers. Therefore, RISE customers are provided with consumption credits for BTP by SAP.

On-premise customers can also benefit from BTP. They can access services for development, automation, integration, analytics, and artificial intelligence offered by both SAP and partners in BTP. For example, SAP Build Apps enables customers to rapidly develop and deploy applications with no-code or low-code using a drag-and-drop interface. This can dramatically lower development efforts for simple applications, More complex applications can be created using the SAP Business Application Studio cloud development environment together with the Cloud Application Programming Model and ABAP RESTful application model frameworks. The frameworks simplify application development by, for example, automatically generating required OData services based on data models. Developers can also leverage generative AI services in BTP to automatically generate ABAP code based on prompts.

Once developed, the applications can be deployed directly in BTP. Therefore, BTP supports both application development and application hosting for runtime services. Applications deployed to BTP can be integrated with on-premise solutions using the SAP Cloud Connector.

SAP BTP has a shared model of responsibility for security. Since BTP is a Platform-as-Service (PaaS), SAP is responsible for managing the infrastructure. Customers are responsible for application-level security including managing user authentication and role assignments, application maintenance and changes, and maintaining global account and sub-account settings. Sub-accounts are similar to environments in on-premise landscapes. They are used to separate development scenarios and projects. Each sub-account is a sandboxed environment. Users and roles are managed for each sub-account.

The Identity Authentication service authenticates BTP users using a federated model that separates authentication mechanisms from applications. The service supports Single Sign-On (SSO) via SAML 2.0 and two-factor authentication.

BTP services and applications record security-related events to a central Audit Log. Events are categorized by data access, data modification, security events, and configuration changes. Logged events include actions such as user logons and logoffs, changes to user permissions, groups and trust relationships, transports, and application creation, deletion and crashes. Log records include details such as the log event ID, description, timestamp, terminal ID, and application details for each event. The default retention period is 90 days for events in the Audit Log. A subscription to the premium edition of the Audit Log service is required to change the retention period and to log events from custom applications in BTP to the Audit Log.

The Audit Log can be analyzed using the Audit Log Viewer. The Viewer enables customers to query log data based on user, time, category, message content, and other fields. However, it returns a maximum of 500 records per query request. Records can be exported for offline analysis. A subscription to the Audit Log Viewer service is required to use the Viewer.

The Auditlog Management service can be activated for global accounts and/or subaccounts to integrate the BTP Audit Log with external systems using the Audit Log Retrieval API. The API is region-specific and secured by OAuth. Therefore, access tokens must be configured for external systems to consume the service. Request rates are throttled based on the region, ranging between 4-8 requests per second for each token and tenant. Log records are retrieved by HTTP GET requests from external systems to the BTP service.

The SAP Alert Notification Service provides an alternative method for monitoring and integrating BTP events with external systems. The service sends real-time notifications for events in BTP applications and services. It includes APIs to both create and consume alerts. Unlike the Audit Log Retrieval API, it supports native integration with incident management solutions such as ServiceNow, messaging channels such as email, and messaging platforms such as Slack and Microsoft Teams. It also supports feeds from cloud providers including Amazon CloudWatch, Microsoft Azure Monitor, and Google Cloud Platform Operations. Another benefit of the SAP Alert Notification Service over the Audit Log Retrieval API is built-in integration with the SAP Cloud Transport Management Service and SAP Automation Pilot. The latter is a BTP service that supports automated response handling for alerts.

The Cybersecurity Extension for SAP supports both the Audit Log Retrieval API and the SAP Alert Notification Service to monitor and alert for security events in SAP BTP. Security alerts for BTP are combined with alerts for other SAP applications, databases, hosts and services for end-to-end monitoring of SAP cloud and on-premise landscapes. Events and alerts for all SAP solutions including BTP are integrated by the Cybersecurity Extension for SAP with SIEM systems including Splunk, QRadar, LogRhythm, Sentinel and many more.