The real state of SAP security: global benchmark from SecurityBridge

Reducing the attack surface of SAP environments and, therefore, the risk for a cybersecurity incident is a continuous effort for SAP teams. Embracing an efficient process for hardening SAP systems is important, as hundreds of security recommendations must be enforced in each SAP system.

The Cybersecurity Resilience Index for SAP (CRIS) reports the average percentage of compliant checks per Area of Responsibility (AoR) across thousands of SAP systems in the SecurityBridge customer base. It helps the SAP community understand the true state of the global SAP security posture and provides insight into the implications of each AoR. Of course, this benchmark is based on organizations that are actually doing something and have invested in maturing SAP security with the SecurityBridge Platform.

CRIS provides an aggregated, anonymized view of how well organizations keep their SAP landscapes secure. Built on real security data from thousands of SAP production environments, CRIS helps security leaders understand where SAP systems are resilient and where systemic gaps remain.

From a high-level perspective, most AoRs cluster in the 58–77% range, suggesting a generally solid security program in areas directly tied to application controls and configuration, but notable variability across governance and integration surfaces.

Highlighted strengths

We find the biggest outlier in the OS AoR (100%) is a strong signal that system hardening and host-level controls are mature, consistently enforced, and likely heavily audited.

Development (Code Vulnerability) at 77% indicates established secure development practices are in place. This reduces exploitable surfaces from custom ABAP and repository changes and is a positive indicator for long-term risk reduction.

Integration at 77% shows substantial hardening of interfaces (RFC, HTTP, TCP/IP), reducing the risk of lateral movement via inter-system channels. This is critical because many real-world breaches leverage insecure interfaces.

Identity and Access at 73% reflects a solid IAM posture, with reliable joiner/mover/leaver processes and authentication controls. It suggests teams are actively managing accounts and reducing orphaned or overly privileged access.

Areas for attention and risk signaling

Authorizations at 68% and Data Protection at 65% are the lower end of the set. These are high-priority risk areas because mismanaged permissions and sensitive data exposure are common breach vectors.

• Authorization control gaps strongly correlate with attacker pathways from basic users to elevated privileges. The results imply there are still significant gaps in detecting or remediating broad or powerful authorization assignments.
• The Data Protection score directly translates into GDPR/regulatory risk and potential exposure to data exfiltration. It signals ongoing risk if sensitive data access controls and monitoring are not consistently enforced.

SAP Basis at 58% is the lowest result and represents a governance and configuration medium that underpins all other controls. Weaknesses here can undermine logging, audit readiness, and overall system hardening, creating a misconfiguration visibility gap across the stack. The score suggests frequent misconfigurations or slow remediation cycles that can blunt incident response and forensics capabilities.

Implications for prioritization and action

Immediate focus should be on Authorizations, Data Protection, and SAP Basis:

• Authorizations: Audit and prune risky or unused authorization profiles; implement least-privilege models; enforce policy-driven remediation and continuous monitoring for unusual elevation events.
• Data Protection: Enforce data access controls, use encryption at rest/in transit where applicable, and implement robust DLP/monitoring to reduce the risk of exfiltration. Validate GDPR/privacy controls and access reviews.
• SAP Basis: Tighten baseline hardening, fix misconfigurations, ensure audit logs are enabled and retained, and regularly review transport security and parameter settings.

Are you a SecurityBridge customer, interested in benchmarking your SAP security posture against your peers? Contact us to get free access.