Layer Seven Security

Key Security Findings from the RISE with SAP 2025 Benchmark Report

Layer Seven on December 17, 2025

SAPinsider’s RISE with SAP 2025 benchmark report, co-sponsored by Layer Seven Security, was released in December. Based on a survey of 122 SAPinsider community members conducted between August and November 2025, the study focuses on customer adoption of SAP Cloud ERP Private (formerly referenced in the survey as RISE with SAP) and the factors shaping migration decisions. From a security standpoint, the most material finding is broad customer non-compliance with the shared model of responsibility, and more specifically, failure to implement and sustain SAP’s mandatory security hardening requirements documented in relevant SAP notes for SAP systems operating in SAP’s cloud delivery model.

Broad Non-Compliance with Customer Security Responsibilities

The report identifies a significant gap between SAP’s cloud security expectations and customer execution. While SAP delivers and operates key elements of the cloud platform, customers remain accountable for critical security outcomes, including secure configuration, access controls, and compliance with SAP-defined hardening standards.

Two key findings stand out:

  • Less than half (45%) of respondents are aware of and actively following the shared responsibility model for SAP Cloud ERP Private security.
  • Approximately one-third are aware of the model but do not follow it rigorously, indicating that a majority of organizations either do not fully understand or are not consistently executing their responsibilities.

This is not a minor administrative gap. The report explicitly warns that failure to follow both the shared responsibility model and SAP’s mandatory hardening requirements leaves systems open to attack. For leadership teams, the implication is straightforward: cloud migration does not transfer accountability for SAP security outcomes to SAP. If required customer-side controls are not implemented and maintained, the organization bears the risk.

Hardening Requirements Are Frequently Missed

The report goes beyond general security awareness and points to a more specific and operational problem: customers running SAP Cloud ERP Private in SAP’s cloud delivery environment must comply with SAP’s mandatory security parameters and hardening requirements, as documented in relevant SAP notes for ABAP, HANA and Java systems and related components. This includes notes 3250501, 3480723 and 3381209.

The report underscores that non-compliance with these requirements materially increases exposure. In business terms, required hardening defines baseline expectations for how SAP systems must be configured to reduce preventable attack paths. Failure to apply those settings—consistently and over time—creates vulnerabilities that can persist in SAP solutions.

Compliance Is a Moving Target

A key challenge highlighted in the report is that SAP security compliance is not static. SAP regularly updates mandatory parameters and hardening guidance in response to new threats, vulnerabilities, platform changes, and evolving best practices. As a result, a system that was compliant at go-live may drift out of compliance over time even without major architectural change.

This creates a practical operational risk: compliance must be managed as an ongoing discipline, not a one-time implementation deliverable. Organizations need repeatable processes to track new and updated SAP security guidance, assess its applicability, validate their current posture, and remediate gaps across their SAP landscapes.

Business Risk of Non-Compliance: Support, Liability, and Exposure

The consequences of non-compliance extend beyond technical risk and into contractual and legal exposure:

  • Support risk: When hardening requirements and mandatory parameters are not implemented, incident response becomes more complicated. In high-severity security situations, customers may face delays and friction in diagnosis and remediation, and their position with SAP support can be weakened if the environment is not aligned with required security standards.
  • Legal and regulatory risk: In the event of a data breach, organizations are often required to demonstrate that they followed vendor-prescribed security requirements and reasonable security practices. If an organization cannot demonstrate compliance with SAP’s documented security hardening guidance, it can weaken the company’s defensibility, increase regulatory scrutiny, and raise the likelihood of fines, penalties, litigation, and reputational harm. Ultimately, under a shared responsibility model, the customer retains accountability—and therefore liability—for customer-controlled security controls.

Additional Survey Indicators Relevant to Security Posture

Although the report is broader than security, several survey results reinforce the importance of establishing a robust cloud security operating model:

  • 80% of respondents identify comprehensive monitoring to ensure system health and security as a key requirement for their ERP transformation and innovation initiatives.
  • 79% indicate the need for best-practice compliance checks that avoid outages, underscoring that organizations see compliance and stability as tightly linked.

These findings align with the report’s security message: maintaining control effectiveness requires continuous monitoring and governance, not periodic reviews.

How the Cybersecurity Extension for SAP from Layer Seven Security Addresses These Challenges

The report’s core security finding—customer non-compliance with evolving security requirements—directly aligns with the capabilities of Layer Seven Security’s Cybersecurity Extension for SAP. The solution is designed to help organizations operationalize their security responsibilities in SAP RISE / Cloud ERP environments where configuration, compliance, and threat conditions change over time.

At a business level, it supports three outcomes:

  1. Continuous monitoring against current hardening requirements: Automated checks against SAP security baselines help identify non-compliance as SAP standards evolve, rather than relying on periodic manual reviews.
  2. Reduced risk from compliance drift: Ongoing visibility into configuration posture helps prevent gradual degradation of security controls due to system change, integration expansion, or operational turnover.
  3. Improved audit and support readiness: Continuous evidence of compliance strengthens governance, improves audit defensibility, and supports more effective engagement during incidents and escalations.

This approach acknowledges the operational reality emphasized by the report: compliance is a moving target, and organizations need a sustainable mechanism to remain aligned to SAP’s required security standards.

Key Takeaways

The most significant security issue identified in the SAPinsider RISE with SAP 2025 report is customer non-compliance. A majority of organizations are not fully executing their responsibilities under the shared security model, and the most consequential example is failure to comply with SAP’s mandatory hardening requirements documented in SAP notes. Because these requirements evolve over time, compliance must be treated as an ongoing operational discipline—supported by clear accountability, continuous monitoring, and repeatable remediation processes—to reduce operational, legal, and reputational risk in SAP Cloud ERP Private environments.

The full benchmark findings will be presented by Robert Holland, Vice President and Research Director at SAPinsider, on Tuesday, January 13, 2026. You can register for the webinar at SAPinsider.

What’s New in the Cybersecurity Extension for SAP Version 2.0

Layer Seven on November 26, 2025

Building upon the successful release of the initial version of the NetWeaver Edition of the Cybersecurity Extension for SAP earlier this year, Layer Seven Security is pleased to announce the upcoming availability of version 2.0. The new release includes important enhancements including support for SAP NetWeaver AS Java, anomaly detection to identify unusual or suspicious activity, the addition of more than 400 new threat detection patterns, and updates for SAP compliance frameworks including the SAP Security Baseline, S/4HANA Security Guide, and mandatory security requirements for SAP RISE / Cloud ERP. The enhancements significantly improve protection for business-critical SAP solutions against advanced cyber threats.

SAP NetWeaver AS Java

The new release of the Cybersecurity Extension for SAP provides coverage for SAP NetWeaver AS Java solutions such as the SAP Enterprise Portal, Process Orchestration (PO) / Process Integration (PI), SAP Solution Manager, and SAP Identity Management (SAP IdM). Version 2.0 supports vulnerability management for AS Java systems including components such as the Gateway Server, Message Server, and Internet Communication Manager (ICM). It also supports the automated discovery of relevant SAP Security Notes for AS Java systems. This includes SAP Java notes for Known Exploited Vulnerabilities (KEV) reported by the U.S Cybersecurity and Infrastructure Security Agency (CISA). Finally, the new release supports monitoring for AS Java logs to detect and alert for security incidents such as user and role changes, system changes, calls for vulnerable servlets including the invoker servlet, and patterns to detect the potential exploitation of AS Java vulnerabilities such as RECON, Log4J and the recent vulnerability detailed in CVE-2025-31324, impacting the SAP NetWeaver Visual Composer Metadata Uploader.

Anomaly Detection

Anomaly detection is a powerful method for detecting potential zero-day attacks without known signatures, brute force attacks, and advanced persistent threats that are difficult to detect using conventional pattern matching techniques. It can also detect insider threats such as privilege abuse or escalation, fraud, and suspicious user actions that deviate from normalized patterns of behavior. Although the Solution Manager Edition of the Cybersecurity Extension for SAP supported anomaly detection for SAP solutions, this feature was not included in the initial release of the NetWeaver Edition. Version 2.0 includes full enablement of anomaly detection in the NetWeaver Edition.

Threat Detection

Version 2.0 of the Cybersecurity Extension for SAP includes a significant increase the volume of threat detection patterns for SAP solutions. It delivers more than 400 new patterns to detect Indicators of Compromise (IOC) in various SAP logs. This includes calls to vulnerable function modules and reports, suspicious file downloads, access to critical tables, directory traversal exploits, and dangerous transaction starts. The addition strengthens the position of the Cybersecurity Extension for SAP as the leading threat detection solution for SAP solutions in terms of coverage. The most recent version of the solution includes more than 1500 threat detection patterns. In comparison, the current version of SAP Enterprise Threat Detection (ETD) includes approximately 200 patterns.

SAP Security Compliance

The Cybersecurity Extension for SAP automates compliance audits for SAP solutions. The solution discovers compliance gaps against multiple security frameworks including GDPR, NIST, SOX and PCI-DSS. It also monitors compliance with SAP security standards such as the SAP Security Baseline, the Security Guide for SAP S/4HANA, and mandatory security requirements for SAP RISE / Cloud ERP solutions defined by SAP Enterprise Cloud Services (ECS). Version 2.0 aligns compliance checks with the latest SAP benchmarks. This includes version 2.6 of the SAP Security Baseline and the Security Guide for SAP S/4HANA 2025. In addition to updating checks for ABAP solutions defined in the latest version of note 3250501, the new version extends coverage for SAP RISE / Cloud ERP checks to include SAP HANA and SAP AS Java solutions. The requirements for these areas are defined in SAP notes 3480723 and 3381209.

What to Expect in Version 3.0

Key updates for the next release of the NetWeaver Edition of the Cybersecurity Extension for SAP include:

  • Support for SAP BTP and SAP Cloud Connector
  • Support for SAProuter and Web Dispatcher
  • Support for RHEL & SUSE OS monitoring including vulnerability scanning and log monitoring
  • Email notifications for security alerts
  • Report automation including scheduling and distribution

The updates will align the capabilities of the NetWeaver Edition with the Solution Manager Edition, enabling existing customers to transition smoothly to the latest platform without any loss in coverage or functionality.

Looking Ahead to 2026

Next year’s roadmap for the Cybersecurity for SAP includes planned enhancements that will improve the user experience and reinforce it’s standing as the leading cybersecurity solution for SAP systems. This includes:

  • Support for SAP SuccessFactors
  • Support for SAP S/4HANA Public Edition
  • Data Loss Protection (DLP) including threat detection patterns and alerts for unauthorized access to sensitive data in SAP solutions
  • Extended checks for critical access and segregation of duties in SAP S/4HANA including a dedicated application to support cross-application user access and role analysis

We extend our best wishes for a Happy Thanksgiving to our customers in the United States and look forward to supporting you in the months ahead.

The Most Critical SAP Security Notes of 2024

Layer Seven on December 16, 2024

Security notes are released by SAP on the second Tuesday of every month to address vulnerabilities in SAP solutions. The vulnerabilities are discovered by external security researchers and reported as part of SAP’s disclosure program. They are also discovered directly by SAP through its’s ongoing research and testing. Security notes are scored by SAP using version 3.0 of the Common Vulnerability Scoring System (CVSS). CVSS generates a score from 0 to 10 based on the severity of the vulnerability. SAP also assigns a priority level for each note. Critical notes are categorized as hot news.

There were over 150 security notes released in 2024 to address vulnerabilities in SAP solutions. The average CVSS score was 5.9. Approximately 1 in 4 of the notes were categorized as hot news or high priority. This article reviews the most important security notes of 2024, based on CVSS score. Hot news notes should be prioritized for implementation. Often, workarounds included in some notes can be applied to mitigate risks if the corrections cannot be applied immediately.

Note 3479478 [CVE-2024-41730] is the one of the highest rated notes of 2024 with a CVSS score of 9.8. The note patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by attackers to compromise logon tickets using a REST endpoint if Single Sign-On is enabled. The property Trusted_Auth_Shared_Secret can be set to Disabled in the effected files to mitigate the vulnerability if BOBJ cannot be upgraded to the required patch level immediately.

Note 3455438 also has a CVSS score of 9.8. The note addresses code injection and remote code execution vulnerabilities in open-source components bundled in SAP CX Commerce. This includes API tools in Swagger UI and database drivers in Apache Calcite Avatica. The solutions referenced in the note remove the vulnerable components in Swagger UI and upgrade Apache Calcite Avatica to the recommended version. There are no workarounds.

Note 3448171 patches CVE-2024-33006 for a critical file upload vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). The CVE is rated 9.6. The vulnerability can be exploited to bypass malware scanning and completely compromise SAP systems. The correction and workaround detailed in the note apply signature checks for the FILESYSTEM and SOMU_DB content repositories. The vulnerability impacts most version of the SAP_BASIS component in AS ABAP.

Note 3425274 [CVE-2019-10744] patches a code injection vulnerability in SAP Build Apps. The vulnerability arises from specific versions of the Lodash open-source JavaScript library used for programming tasks included in SAP Build Apps. Applications should be rebuilt with version 4.9.145 or later to prevent the vulnerability.

SAP Build Apps is also vulnerable to CVE-2024-29415, a severe Server-Side Request Forgery (SSRF) vulnerability detailed in note 3477196.

Note 3536965 [CVE-2024-47578] addresses SSRF and information disclosure vulnerabilities in Adobe Document Services of SAP NetWeaver AS for JAVA (AS Java). Updating the ADSSAP software component to the recommended patch level will remove the vulnerabilities in the relevant web applications and services in AS Java.

Note 3433192 [CVE-2024-22127] deals with a code injection vulnerability in the Administrator Log Viewer plug-in of AS Java. The vulnerability requires administrative privileges for successful exploitation. Therefore, restricting the use of the Administrators role can mitigate the vulnerability.

Note 3420923 [CVE-2024-22131] patches a vulnerable RFC service in AS ABAP to prevent a critical code injection vulnerability. The workaround in the note recommends restricting access to function modules for CA-SUR using authorization object S_RFC.

Other important notes include 3413475 for multiple CVEs in SAP Edge Integration Cell and 3412456 [CVE-2023-49583] which addresses an escalation of privileges vulnerability in node.js applications created using SAP Business Application Studio, SAP Web IDE Full-Stack or SAP Web IDE for SAP HANA.

New Whitepaper: NIS2 Compliance for SAP Solutions

Layer Seven on August 20, 2024

The Network and Information Security (NIS2) Directive takes effect on October 17 and imposes significant requirements on organizations for cybersecurity and incident reporting. NIS2 mandates strict standards for cybersecurity and incident reporting for organizations that are based in the European Union or provide services within the EU. It is targeted at essential and important organizations in specific sectors considered part of the supply chain for critical infrastructure in member states.

The Directive includes requirements for protecting the confidentiality, integrity and availability of data in network and information systems against cyber threats, as well as detecting and reporting significant security incidents within prescribed time frames. This includes data and incidents impacting business-critical SAP solutions.

The newly-released whitepaper from Layer Seven Security simplifies the path to NIS2 compliance by providing guidance for complying with the Directive for SAP solutions. This includes sources for hardening standards to comply with cybersecurity requirements, and threat detection and response mechanisms to comply with the incident reporting requirements of the Directive. The guidance includes specific recommendations for solutions in SAP RISE.

DOWNLOAD

Cybersecurity Extension for SAP version 5.1

Layer Seven on May 16, 2024

S/4HANA Access Risk Analysis, SAP RISE Compliance, SAP ETD Benchmarking and More

The new release of the Cybersecurity Extension for SAP is scheduled for general availability in May and includes several important enhancements.

Version 5.1 includes coverage for critical access and segregation of duties in SAP S/4HANA. It performs more than 700 checks for access to sensitive transactions and conflicting combinations of transactions for business processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in S/4HANA. Exclusions can be maintained for users and groups to tune checks and exclude permitted users. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for S/4HANA. The checks are included in the new areas S/4HANA Critical Access and S/4HANA Segregation of Duties. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.

The new release also includes support for monitoring the compliance of SAP RISE systems with information security standards defined by SAP Enterprise Cloud Services (ECS) in note 3250501. The standards include required settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must comply with for RISE solutions managed by ECS.

Version 5.1 includes several new threat detection patterns to bridge the gap with SAP Enterprise Threat Detection Cloud Edition (ETD CE). As a result, the Cybersecurity Extension for SAP now provides coverage for the same patterns as ETD CE. It also includes more than 750 patterns that are not included in ETD CE. Similar to ETD CE, the Cybersecurity Extension for SAP is available as Software-as-a-Service (SaaS) for RISE customers.

Finally, the new release includes new tiles for Actively Exploited Vulnerabilities and Known Exploited Vulnerabilities. The former can be used to display open vulnerabilities that have associated alerts. The latter can display calculated security notes for systems that are required to address Known Exploited Vulnerabilities (KEV) for SAP solutions in the CISA KEV catalog.

Security Compliance for SAP RISE Solutions

Layer Seven on February 19, 2024

S/4HANA and other ABAP systems provisioned by SAP for RISE customers are based on standard system builds. The builds include default settings to apply security by default based on hardening requirements and best practices. The settings are outlined in SAP Note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP systems in SAP Enterprise Cloud Services (ECS).

The requirements include recommended settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must abide by to comply with SAP security standards for RISE solutions.

The Cybersecurity Extension for SAP (CES) performs automated gap assessments to ensure RISE solutions comply with SAP security requirements. The assessments are performed using Compliance Reporting accessed from the CES launchpad.

SAP RISE should be selected from the framework selection screen.

Once the framework is selected, you can select a target system from the available systems in your SAP RISE landscape and click on Execute.

The results are summarized for each requirement and an overall compliance score is calculated for the system.

You can drilldown into each requirement to navigate the detailed findings.

You can click on the > icon for each finding to view further information and create an action plan to manage the remediation of compliance issues.

The report filters can be used to focus on specific requirements or results. For example, you can suppress compliant areas to isolate compliance failures.

Shortcuts can be created and published to the Fiori launchpad for fast access to compliance results.

The shortcuts can be published as custom tiles to existing or new work groups.

Compliance reports can also be scheduled to run on regular intervals. The reports are automatically distributed in PDF or CSV to recipients by email during each run.

The Cybersecurity Extension for SAP is an SAP-certified addon for SAP Solution Manager and SAP Focused Run. An addon version for other SAP NetWeaver AS ABAP systems such as SAP GRC is expected in Q4 this year.

Security Patching for SAP Solutions

Layer Seven on June 21, 2023

The risk of unpatched systems is consistently reported as one of the top three threats to SAP systems in every survey of SAP customers performed by SAPinsider since 2021. Regularly implementing SAP security notes is reported as the most significant action performed by organizations to secure their SAP solutions. Security notes provide include corrections for known vulnerabilities in SAP software. They are released by SAP on Patch Tuesday, the second Tuesday of each month.

Keeping up with SAP patches is reported as the first or second greatest cybersecurity challenge confronted by SAP customers. This is due to several factors including:

  • High volume of security notes
  • Maintaining system availability
  • Validating calculated notes
  • Scheduling downtime
  • Prioritizing security notes
  • Resource constraints

The whitepaper Security Patching for SAP Solutions from Layer Seven Security includes best practices to overcome these challenges. It provides a comprehensive framework for discovering, analyzing and implementing SAP security notes. The whitepaper includes clear and practical recommendations from the leaders in SAP cybersecurity to automate and optimize security patching procedures for SAP.

DOWNLOAD

Cybersecurity Threats to SAP Systems Report

Layer Seven on June 7, 2023

Earlier this month, SAPinsider released the 2023 Cybersecurity Threats to SAP Systems Report. Co-sponsored by Layer Seven Security, the report is based on the findings of a survey of more than 205 security professionals in North America, EMEA, APJ, and LATAM, representing SAP customers across nine industries.

The report revealed several trends in 2023 compared to reports for earlier years. Similar to 2022, respondents ranked unpatched systems, ransomware attacks, and credentials compromise as the most significant threats to SAP systems. The exploitation of system interfaces and weak access controls were also identified as important but less significant threats.

Patching and updating SAP systems and enforcing secure password policies were reported as the most important requirements for SAP cybersecurity. Protecting SAP systems from zero-days threats was also identified as an important requirement, even though there is no evidence of the successful exploitation of any zero-day vulnerability for SAP solutions.

This article provides practical recommendations for managing the top five threats to SAP systems presented in the report. The recommendations can be implemented using a combination of the Cybersecurity Extension for SAP and SAP ALM platforms such as Solution Manager, Focused Run, and Cloud ALM. According to the report, 81% of customers are using one or more of these platforms. However, less than half of SAP customers are fully leveraging the capabilities of their ALM investments.

Security Patching

Keeping up with patches is the most significant cybersecurity challenge reported by SAP customers. This is due to reasons such as the volume of patches, difficulties with prioritizing notes and scheduling system downtimes, the reluctance to apply notes that could impact system availability, and issues validating whether patches are correctly implemented. The last is especially challenging for notes with manual corrections.

System Recommendations (SysRec) in SAP Solution Manager automates the discovery and implementation of security notes for SAP solutions. It calculates relevant notes based on the installed software components and versions in systems. Notes can be filtered by priority to focus on hot news and high priority patches. SysRec also identifies objects impacted by security notes and provides usage counts for the objects. This can be used to develop targeted test plans based on the known impact of security notes. Notes impacting unused objects can be implemented with minimal testing.

Automated corrections can be downloaded through SysRec and staged in systems for implementation. Once implemented successfully, the relevant notes are automatically removed from the SysRec results. The implementation status of notes with manual corrections can be maintained using the Status option. False positives in SysRec can occur if notes are released by SAP without software component information. The Cybersecurity Extension for SAP (CES) automatically discovers and removes the false positives to improve the quality and reliability of notes reported by SysRec.

Ransomware

Ransomware can target SAP applications through multiple a­ttack vectors. Unauthorized external program starts through the gateway server should be restricted using the secinfo access control list. Authorizations for OS commands should be restricted. This includes authorizations for RSBDCOS0, SM49 and CG3Z which can be used to download, install and run ransomware tools. Custom ABAP, UI5, Java and SQLScript programs may be exploited to perform arbitrary OS commands. Vulnerable programs can be discovered using code vulnerability scanning solutions. Vulnerable ICF services such as SOAP RFC and WEB RFC should be disabled. The SAP Virus Scan Interface should be enabled to support the detection of malware in file uploads and the propagation of ransomware through file downloads.

Ransomware can also target hosts supporting SAP applications. Therefore, it is important to secure and monitor the operating system layer in SAP systems. Unnecessary ports and services should be closed. Root commands and sudo actions should be closely monitored, particularly wget and bash commands, and the creation and execution of OS files.  The Cybersecurity Extension for SAP is the only security solution that protects and detects against ransomware across application, database and OS layers in SAP systems.

Credentials Compromise

Transport layer security using SNC and SSL for SAP protocols will protect encoded SAP passwords in client-server and server-server communications. Access to password hashes in SAP tables should be restricted and monitored. Downwards-compatible passwords should be disabled since this will prevent the storage of password hashes that use vulnerable algorithms. Strong password policies should be enforced using the relevant settings in systems including login parameters in ABAP systems. Session management should be enabled and logon tickets and cookies should be secured against misuse. Detection and alerting for SAP accounts that may have been compromised can be activated using Anomaly Detection in the Cybersecurity Extension for SAP. Anomaly Detection will detect for unusual user actions such logins from new terminals or IP addresses for each user and the execution of transactions and reports that are not typically accessed by users.

System Interfaces

Program starts, server registrations, and monitor commands should be restricted for the gateway server. The use of RFC destinations with stored credentials should be restricted. The authorizations for RFC users should be provisioned based on the principle of least privilege to minimize the impact if RFC accounts are compromised. RFC user accounts should be system or communication user types, not dialog or reference. Positive whitelists are recommended to prevent the misuse of RFC callbacks. Trusted RFC connections should be used only in the required scenarios and trust relationships should not be configured from lower to higher order environments.

Unified Connectivity (UCON) should be enabled and configured to protect external calls to sensitive remote-enabled function modules (RFMs). Requests blocked by UCON are logged in the Security Audit Log.

Interface and Connection Monitoring (ICMon) in SAP Solution Manager and Integration and Exception Monitoring in SAP Focused Run can be deployed to identify critical internal and external system interfaces. This includes RFC, HTTP, Cloud, IDoc, and Web Service connections. Alerts can be configured for the usage of system interfaces outside of normal scenarios. For example, customers can enable alerting for an RFC destination if it used by a user not included in a permitted whitelist or if the destination is used to call RFMs that are not typically called by the destination. Similar alerting can be enabled for calls to applications, IDocs, cloud services and web services accessed using non-RFC protocols.

Access Controls

Access to administrative profiles, roles, authorizations and transactions should be restricted. This includes roles and permissions in SAP databases and hosts. The SAP_ALL profile should not be used in productive systems. Standard users should be locked and default passwords should be changed. Authorization checks should be enforced for all RFMs and system operations. Switchable authorization checks should be enabled wherever applicable to secure access to sensitive function modules. Conflicting functions should be assigned to separate users to enforce the segregation of duties. This includes user creation/ role maintenance, role maintenance/ role assignment, and transport creation/ transport release.

The Cybersecurity Extension for SAP can be used to discover users with administrative permissions or access to conflicting functions. It can also alert for the execution of sensitive programs, reports and transactions. Exclusions can be maintained for specific users or based on factors such as user group to support whitelisting and prevent false positives or alert flooding.

Securing the Journey to SAP S/4HANA

Layer Seven on December 20, 2022

Earlier this month, Layer Seven Security released the new whitepaper Securing the Journey to SAP S/4HANA: A Security Framework for S/4HANA Migrations. The whitepaper provides a comprehensive guide to S/4HANA security to support the transition from SAP ERP to S/4HANA.

Mainstream maintenance for ERP will end in December 2027. Therefore, organizations must migrate to S/4HANA by the beginning of 2028. To date, only one third of organizations have migrated to S/4HANA. Therefore, the majority of SAP customers will be migrating over the next five years.

Security is one of the largest roadblocks to successful migrations. This is due to significant differences between ERP and S/4HANA that require the restructuring of access and technical controls. It is also due to concerns related to cloud security since almost 70% of organizations are electing to migrate to cloud-based S/4HANA installations. Other security concerns arise from the migration of custom SAP programs from ERP to S/4HANA. These programs often contain hidden and unresolved security vulnerabilities since they were never subject to in depth code vulnerability analysis.

The whitepaper includes detailed recommendations across twelve domains to deal with these and other security concerns and facilitate the smooth transition to S/4HANA. The recommendations are aligned to best practices in the SAP S/4HANA Security Guide. The whitepaper also includes guidance for automating pre and post go-live security checks for S/4HANA migrations using SAP Solution Manager and the Cybersecurity Extension for SAP.

DOWNLOAD

Maintaining System Inventories with SAP Solution Manager

Layer Seven on October 26, 2022

Maintaining an accurate and complete inventory of SAP systems is an important requirement for cybersecurity. It enables organizations to assess and prioritize risk management, ensure systems are not accidentally overlooked and exposed to threats, plan and track maintenance activities such as upgrades to apply security patches, and recover rapidly from security incidents including data breaches and successful ransomware attacks. For this reason, compliance frameworks such as CIS, NIST and PCI-DSS include requirements for asset management. The requirement is also the subject of the new bill Strengthening Agency Management and Oversight of Software Assets Act approved by the U.S Senate Homeland Security and Governmental Affairs Committee in September.

In many organizations, SAP asset inventories are maintained in spreadsheets or asset management tools that require manual updating. This can lead to inaccuracies if these approaches fail to keep pace with changes in complex and evolving SAP landscapes. Landscape Management in SAP Solution Manager provides an automated solution for managing system inventories by discovering and mapping SAP assets and automatically updating system information. Landscape Management is included in the standard usage rights for Solution Manager.

System information is sourced by Landscape Management from the System Landscape Directory (SLD). The SLD is the central repository of system information required for SAP lifecycle management. SAP landscapes may have multiple SLDs for backup or to support different environments, but the supplier for Landscape Management is the central SLD. The SLD includes a software catalog for each system known as CR Content. It also includes a Common Information Model (CIM) for sharing hardware and software information. CR and CIM data is automatically synched  from the SLD with Landscape Management via SAP agents. The data can also be automatically or manually imported into Solution Manager in landscapes that do not have an SLD. The data is then synched from Landscape Management with the Maintenance Planner in the SAP Support Portal. This is one of the primary reasons why SAP Solution Manager is required in SAP landscapes even if customers are not actively using any SolMan scenarios.

Landscape Management is accessed from the SAP Solution Manager Administration workgroup in the Fiori Launchpad.

System information is categorized by application server, database, host and component areas. For technical systems, you can select a system from the selection screen and click on Display to display the full system information.

The initial screen summarizes the key attributes for the system such as the SID, database, installation number, release information and SAP products installed in the system. This section also includes the environment, location and lifecycle status. The priority of the system can be used to classify systems based on their business importance using a low to very high rating scale.

The tabs for Technical Scenarios, SAP Support Portal, Business Partners, and Installed Licenses detail the active SolMan scenarios for the system, the system number, key personnel including system owners, business contacts, architects, and technical support with email addresses and telephone numbers, and license information.  

The Software section lists the installed software components including version and support pack level. This information is used by SAP Solution Manager during the calculation of relevant notes including security notes.

The Database, Instances and Clients section include information such as the database type, release and host name, instance names, numbers and directories, and active clients and roles.

The Hosts section will include host-level information such as the host name, FQDN, IP address, OS type and version, CPU, and details of whether the host is physical, logical or virtual.

The Destinations section lists the active RFC destinations in the system by client.

Finally, the Component Groups section details the logical component groups for the system. This is often used to group systems based on their role. The system roles below are predefined by SAP. However, users can create and maintain custom component groups to cluster systems by business group, function, location, or other areas.