Skip to content
SAP Security Testing

SAP Security Testing: Tools, Techniques, and Best Practices

8bc4a8bb51f46aaf329d75305e64e8f0?s=96&d=mm&r=g
Barry Snow
Technical Account Manager
March 19, 2025
8 min read

Chapters

Share Article

Introduction 

“SAP Security”what does it mean to you?  If your answer is “Users, Roles, Profiles, and Authorization Objects,” you’re not wrong — but let’s look at the bigger picture. 

SAP security is evolving, and so should our understanding of it.  SAP security today spans a vast ecosystem of interconnected legacy landscapes and emerging cloud-hosted infrastructure.  Those legacy landscapes are still there, but today, they are integrated into modern technologies like BTP (SAP Business Technology Platform) and HANA databases, all of which require some form of “SAP Security”. 

The Classic Understanding of SAP Security: 🏛 

For decades, SAP security has centered around tools (transaction codes) like SU01 for user management and PFCG for role administration. These were the bread and butter of NetWeaver AS ABAP systems, ensuring users accessed exactly (and only) what they were authorized to see. 

The Broadening Scope of SAP Security: 👨‍💻 

As SAP technology has advanced, so have its security requirements. Systems like NetWeaver AS Java and NetWeaver BW added layers of complexity, each demanding tailored control. On top of that, there is an overall push toward the web and the cloud.  Think about the reliance on Web Dispatchers, Cloud Connectors, and the new Web-based UI, Fiori. 

The Holistic View SAP Security: 🌐 

SAP security is now commonly treated as synonymous with #SAPCyberSecurity.  Taking this view, we must include Basis parameters, SAP Patch Management, configuration management, RFC integrations, real-time threat detection, forensics requests, and cloud hosting considerations. It’s no longer just about preventing access—it’s about maintaining the integrity of everything from ABAP code to cloud environments.  

The Flexible Future SAP Security: 🆕️ 

Enter Business Technology Platform (BTP) and HANA databases innovations that bring incredible capabilities, but they also widen the attack surface when added to the existing architecture. Securing these newer technologies requires a mix of traditional best practices and cutting-edge strategies, including threat detection, real-time monitoring, and robust governance frameworks. 

 

Redefining SAP Security Testing for an Evolving SAP Security Landscape 

SAP Security Testing has traditionally been focused on testing Roles, Profiles, and the fields and values of the associated Authorization Objects.  The SAP Security Testing scope has been customarily extended to include Segregation of Duties (SoD) testing.  These two categories of testing are just as important today as they have been for over 20 years.  However, the SAP technology portfolio is growing and evolving fast.  So, let’s take a quick look at what we need to do to modernize the concept of SAP Security Testing.  

SAP Security Testing-SAP Security Landscape

Expanding the Scope: Key Focus Area of SAP Security Testing 

Before we look at the newer technologies, let’s focus on the core “legacy technology of NetWeaver AS ABAP systems (which now also includes S/4HANA and BW/4HANA systems). What else should we be testing in these “ABAP-based Environments? This question expands our scope of testing from traditional #SAPSecurity testing to #SAPCyberSecurity Testing! 

What is included in the expanded scope?  We must include: 

  • Basis configuration Testing 
  • Penetration Testing 
  • Security and Compliance Testing (scheduled scans) 
  • ABAP Code Testing 

 

Strengthening Security Between Penetration Testing Cycles 

Having Penetration Testing a full-time, ongoing business function at your company might seem unreasonable — and that’s fair.  So, what can you do to help in this area of testing when your company is “in-between” active PenTest contracts?  

  • Remember, hackers don’t operate under the same ethical and contractual constraints as your PenTest Vendor.  They test your defenses on their schedule, not yours! 
  • Review your Penetration Test schedule frequency.  Instead of conducting tests once a year or every three years, consider increasing the frequency to every six- or nine-month intervals for better security coverage. 
  • Consider setting up a full-time “Red Team”, even if it’s a small one. 
  • Use an automated third-party “Blue Team” solution to strengthen your #SAPCyberSecurity defense posture.  My recommendation, of course, is the SecurityBridge Platform. 
  • Consider chartering a Purple Team program. This program not only oversees the independent events of the Red Team but also ensures that their findings are implemented as defenses by the Blue Team. This war-gaming approach will significantly reduce your attack risk from external threat actors. 

 

Examples of Basis Configuration and Parameters in SAP Security 

Here are some example Basis Parameters and Configurations that should be in scope for SAP Security Testing. 

  • Check the status of all Basis Parameters across your SAP systems 
  • Verify system profile parameters for the Message Server 
  • Verify RFC Gateway by inspecting Access Control Lists (ACL) files, settings, profile and data dictionary 
  • Verify Transport Control Security by inspecting system profile parameters and the user master. 
  • Check for existence of Obsolete Clients 
  • With the SecurityBridge Security & Compliance Monitor, hundreds of checks can be executed across your SAP environments by utilizing scheduled jobs 

 

Examples of Testing Traditional SAP Security Sensitive Users 

SAP Critical Users can be tested for multiple vulnerability scenarios based on their ability to perform critical functions.  Additionally, it is important to verify that Security Logging is active and properly configured.  Here are just a couple of examples: 

  • Status of the SAP Security Audit Log – Is it enabled, turned off, or over-filtered?  If disabled, the system will have a very limited dataset for forensics and threat monitoring. 
  • Critical User Attributes – Ensure that passwords, user groups, validity periods, and user types are properly assigned and configured. 
  • Users with Critical Authorizations – Debug, password change/reset, delete SAP SID Clients, Program Start/Execute Programs, RFC Calls, and more.  
  • To test the hundreds of checks and use cases, use SecurityBridge Security & Compliance Monitor to set up scheduled scans of your targeted systems. 

 

Examples of ABAP Code Security Testing  

ABAP Developer teams that run a classic “DevOps” model can enhance their security posture by evolving into Secure Development Operations (#SecDevOps or #DevSecOps). 

SAP provides all ABAP Dev Teams with the ABAP Test Cockpit (ATC).  SecurityBridge allows these dev teams to infuse additional test cases specifically focused on SAP Security.  SAP Security testing should include these ABAP Code Vulnerability Types:   

  • SQL Injections 
  • Directory Traversal 
  • Authority Check validation  
  • Mass Data Change/Delete 
  • Many more… Use the SecurityBridge Code Vulnerability Analyzer to automate these tests on a scheduled basis 

 

What Other Testing Topics Should Be Considered?  

Pull it forward! (aka “Shift Left”)  

SAP Security and Testing should be a part of your SAP Program and Project Charters.  SAP Security Testing needs to be in scope early to drive personnel and budgeting decisions don’t make it an “afterthought”.  Crisis planning can result in pushing entire workstreams out of scope or delaying the Project Go Live Date. 

“Embedding” an SAP Security Consultant Workstreams 

When populating your Business Process and Technical Workstreams make sure to “embed” a competent SAP Security Consultant in the workstream. 

You might think that this “Security Embed” is an additional overhead that would slow down the workstream in the short term. However, in the long term, this one strategic move ensures that your workstream can successfully enter and exit key project phases such as Integration Testing and Cutover Testing.   

(Hint: You need to use the actual Post-Go-Live Roles and Permissions in those phases not an over-privileged Testing Role!) 

Key Questions to Consider  

  • How does that role get created or modified? 
  • How does it get tested?   
  • Is Role testing in scope for your workstream? 

In your Transformation workstreams, your workstream leads are “in the trenches” working on delivering the solution for their represented business process.  However (speaking from lived experience), are those workstreams thinking about Security Testing from the beginning?  Are they thinking about Security Testing when they are creating their SDLC/RICEFW Documents? 

Baseline and Status-Check Your SAP Cybersecurity Risk Posture 

Use SecurityBridge to baseline and status check your SAP CyberSecurity Risk Posture before, during, and after your SAP Projects. 

Positive and Negative Testing 

When building your Test Cases and Test Sets, remember to incorporate both “Positive Testing” and “Negative Testing”.  This helps to ensure that your users receive exactly and only (Least Privilege) the permissions needed to fulfill the specified business function. 

 

Wrapping Up: A Reference Guide for SAP Security Testing 

This blog is packed with a lot of ideas, so please use it as a reference tool.  Feel free to revisit it after taking some time to digest these concepts.   

We never really got beyond the legacy ABAP environments, but by extension, that also includes SAP S/4HANA and SAP BW/4HANA. We can focus on SAP Security Testing in newer technologies in the next blog post. 

As always, feel free to reach out.  I am active on LinkedIn and happy to engage with you there.  

The Cybersecurity Command Center for SAP-4