Because of Cloud and Mobile Technologies, new SAP Systems have become more exposed to the Internet; thus every vulnerability identified in these services can affect thousands of multinational companies.

Bear in mind that 90% of the Fortune 2000 companies use SAP, therefore, if any of these vulnerabilities is exploited by a hacker, the world’s economy could face dreadful consequences.

For example, the latest reported issues in SAP Mobile affect more than a million mobile devices; a SAP HANA vulnerability affects 6,000+ SAP HANA users.

Because of this, dangerous SAP HANA and SAP Mobile vulnerabilities discovered in 2015 were covered in Wired, PC World, and other top international media.

Penetration Testing Service

by Winterhawk

Winterhawk has partnered with ERPScan to provide an SAP Certified Solution for SAP Penetration Testing, which identifies, analyses and remediates security issues, while protecting against cyberattacks and internal fraud. It monitors multiple tiers of SAP security for vulnerabilities including Platform Security and Source Code Review for custom ABAP and JAVA programs.

The largest companies across industries ranging from oil and gas, to banking and retail, as well as consulting companies and even nuclear power installations have successfully deployed and used ERPScan.

Summary of Penetration Testing Benefits:

Stay secure

  • Prevent cybercriminal activity with continuous monitoring of key security areas and automatic vulnerability assessments.
  • Prevent insider activity by using our SoD module to analyse all critical privileges and their segregation.
  • Prevent development errors with code review of custom transactions and reports.

Save time

  • Easy implementation: less than one hour to install the system as software, a virtual appliance or SaaS.
  • Fast scans: with our new engine, you can analyse more than 7,500 parameters in five minutes.
  • Scalability: effectively monitor a large number of systems from various locations and easily manage them from anywhere using a web browser.

Decrease costs

  • Save on compliance costs with the integrated compliance modules, including key recommendations from SAP, ISACA, DSAG, OWASP, EAS-SEC, SOX, PCI-DSS, and NERC CIP.
  • Save on manual assessments with automatic monitoring of all security-related options.
  • Save on security education by using an integrated SAP security knowledge base with detailed description and remediation steps.

Why do we offer automated SAP Penetration Testing Service?

There were roughly 100 documented SAP security lapses in 2009. As of 2015, there were more than 3,400 SAP security notes published to address these lapses. If exploited, vulnerabilities make unauthorised access to SAP systems possible; this causes problems for organisations that otherwise successfully manage SAP solutions, such as SAP Access Control, for governance, risk and compliance.

Interest in the topics of hacking and vulnerabilities of SAP systems has been growing exponentially: in 2007, there was one report dedicated to SAP hacking and security, but by 2011 there were more than twenty. Shaping the necessity to secure SAP systems is the fact that a number of hack tools have been recently released, proving not only the possibility of SAP attacks, but simplifying them for cybercriminals.

An ERP system is the heart of any large organisation. It facilitates all the critical business processes, from procurement, payment and logistics to human resources management, product management and financial planning. All of the data stored in ERP systems is of great importance and any unauthorised access can lead to enormous losses, or even termination of business processes. From 2006 through to 2010, losses to internal fraud constituted 7% of profit on average, according to the Association of Certified Fraud Examiners (ACFE).

There is a persistent misconception that SAP ERP security boils down to a segregation of duties (SoD) matrix; while SoD security measures are certainly necessary, they are not enough. The reality is that there is a wide spectrum of threats, both internal and external, including attacks on SAP routers, SAP Enterprise Portal and even business applications such as SAP ERP, SAP CRM and SAP BW.

Programs developed in SAP’s own language, ABAP, should not be overlooked, as ABAP-based software is widely used to customise ERP solutions. These programs often contain software vulnerabilities left by developer oversight or occasionally as intentional backdoors.

SAP Penetration Testing 1

Components of ERPScan Security Monitoring Suite for SAP


  • Vulnerability Management: enables security management of SAP servers by identifying software vulnerabilities and misconfigurations, and verifies compliance to relevant industry standards.
  • Source Code Scanning: an SAST tool designed specifically for SAP infrastructure. It contains checks for ABAP and JAVA applications and is able to find critical issues and backdoors in custom source code.


  • Advanced Analysis: a set of features to facilitate business intelligence procedures for the gathered data. Our aim was to simplify risk management for vast landscapes and to allow a convenient visual presentation of the results. This add-on enables vulnerability prioritisation, analysis of the results gathered over a specific timeframe (trend analysis) and their visualisation. It can also trace connections between systems.
  • Remediation: what every security engineer would dream to have at their disposal. This add-on is the result of our efforts to create a “big green button” which would automatically rectify all issues, or at least significantly simplify their remediation. It serves to facilitate vulnerability management in terms of integration, workflow and remediation processes.



System Architecture

The system is based on a client-server structure where the client is a web-browser; the server is a standalone system which can be implemented as traditional software, a virtual appliance, or even in the cloud.

To receive data from an SAP system, the scanner uses a special account which is created in every client beforehand, with the rights to read a set of tables needed for the analysis. Data is transferred from the server via RFC by means of standard functional modules or by other approved protocols for non-ABAP systems. The data received is verified for compliance using various criteria and then displayed in the web interface.

Data is typically retrieved from SAP systems via the so-called connectors, processed in the control components and presented to the end user via the output components.

The system engine kernel has three functional areas:

  1. Output: includes business functions designed to visually represent output data in an accessible format, for example, in the form of dashboards or reports.
  2. Control and processing: includes all functions for managing and processing data received from the connectors, transfers to business functions and visa-versa: User management, Template management, Project management, Landscape management and Notification management.
  3. Data Collectors: include access interfaces for various SAP components designed to retrieve the necessary data.

Data Collectors (Connectors)

There are many connectors for various data sources, namely SAP NetWeaver ABAP application server, SAP NetWeaver Java and other interfaces. By means of these data connectors, system information is gathered from multiple sources such as system services, helping to detect specific vulnerabilities in the system.

The following connectors are deployed:

  • ABAP – allows retrieval of data from an ABAP instance via RFC functions;
  • Java – allows retrieval of data from a Java instance via P4 protocol;
  • HTTP – allows retrieval of data via all SAP HTTP interfaces;
  • SOAP – allows retrieval of data via SOAP interfaces;
  • WEBRFC – allows full system scan by HTTP port (in case WEBRFC service at /sap/bc/soap/rfc is available), which can be used to scan systems via the Internet or when access is limited;
  • SAP Router – allows scanning of systems only accessible through SAP Router;
  • HANA – allows retrieval of data from HANA Database;
  • Oracle – allows retrieval of data from Oracle database;
  • BOBJ – allows retrieval of data from SAP BusinessObjects;
  • Mobile – allows retrieval of data from SAP Mobile Platform;
  • MDM – allows retrieval of data from SAP MDM Platform;
  • PCO – allows retrieval of data from SAP Plant Connectivity platform.


SAP Penetration Testing 3

Vulnerability Management Module

This module includes over 10,000 checks, including:

Blackbox Penetration Testing (330 checks)

Whitebox Security Assessment (7,500+ checks) with Configuration Settings divided into the following sections:

– Authentication

– Encryption

– Insecure configuration

– Missing patches and SAP Security notes

– Exploitation of vulnerabilities

– Password brute force

Source Code Scanning Module

Even in a perfectly configured system, running all the latest security updates, there is always a risk of unauthorised access to critical data. SAP programs and applications are coded with ABAP and Java, and are as vulnerable to errors as any other programming languages. Vulnerabilities in the source code can facilitate unauthorised access or cause corruption of any critical data in the production system.

This module is designed to scan the custom code written by the company’s own developers in such applications as:

  • ABAP Programs, transactions and reports (Z or Y programs; 115 different vulnerability checks);
  • J2EE webservices (17 different vulnerability checks).

The system analyses source code according to industry-proven guidelines such as OWASP – for web-based issues and EAS-SEC guidelines – applicable to every business-critical application, for specific business-critical issues.

The list of areas by EAS-SEC included in the guidelines:

  1. Injections: various SQL injections, ABAP Code Injection and other injection type vulnerabilities that allow executing malicious database and OS requests via function parameters
  2. Critical calls: critical kernel calls that are not recommended for development
  3. Missing or bad access control checks: calls for critical transactions, reports, RFC functions and access to tables without authorisation checks or with improper authorisation checks
  4. Directory traversal: functions for accessing the file system that do not filter input parameters can eventually be used to exploit directory traversal vulnerabilities, i.e. a user can read any system file even if the function was originally designed only to read certain files
  5. Modification of displayed content: vulnerabilities that can be used for user credential and cookie theft such as XSS and CSRF
  6. Backdoors: for example, if there are username checks in the source code, an attacker having certain user privileges can by-pass authorisations to execute functionality pre-defined in the source code
  7. Hidden channels: various access types for accessing external systems that can be used to transfer critical data externally
  8. Information disclosure: disclosure of critical information such as passwords, debug information, payment card or personal data in the code
  9. Obsolete expressions: expressions that are recommended to avoid

These checks can be integrated into SDLC process of organisation. The system checks source code security in Development, Test and Production environments by analysing code from Code Repository, Workbench Requests and Transport Requests.

Business Benefits

Reduction in expenses on the security assessment

The compliance module enables all the tests and can estimate the system’s compliance to ISACA assessment procedures performed by the Big Four audit firms. By providing an auditor with a report on completed tests run by ERPScan, containing all data required for the final report, you will reduce the duration of the assessment. Each check requires up to 10 minutes if done manually. This means an average of 50 working hours (1.5 hours/week) for a one-time analysis of a client, not to mention the analytic work involved in threat assessment and search for information about defence – ERPScan does the job in 10-20 minutes, depending on the quantity of data in the system.

Reduction in training expenses
Built-in knowledge base with detailed information and recommendations for vulnerability patching, together with an integrated news feed about the latest threats and security methods will allow you to reduce staff training expenses.


Protection against remote hacker attacks

Analysis of misconfigurations and vulnerabilities will provide timely protection against hackers. Attack vectors are eventually displaced from massive attacks on users to targeted attacks on corporations, called APT (Advanced Persistent Threat). It has been proven by different sources including the latest Stuxnet incidents. Also, in October 2012, there was news that anonymous hacktivists had broken into the Greek Ministry of Finance by exploiting a vulnerability in their SAP system, although, this fact was neither proven nor refuted. In spite of the main losses coming from insider attacks, losses to remote attacks will continue to increase due to deep integration of business into the Internet and implementation of mobile technologies. IT infrastructure boundaries will have to be extended.

Protection against insider attacks

Analysis of critical privileges used to access business critical data and administration interfaces will help to detect potential breaches in the role model and prevent insider attacks. According to the Association of Certified Fraud Examiners (ACFE), and as mentioned above, losses attributed to ‘insider fraud’ amount to 7% of profit on an average.

Click a link below to contact one of our local offices for more information or to setup a demo.

Winterhawk EMEA     Winterhawk Asia Pacific     Winterhawk Americas 

Get in touch for SAP Penetration Testing Service – EMEA

E-mail EMEA

Get in touch for SAP Penetration Testing Service – Asia / Pacific

E-mail Asia / Pacific

Get in touch for SAP Penetration Testing Service – Americas

E-mail Americas

“We’d like to thank ERPScan for increasing our awareness for this important topic. ERPScan has been partnering with SAP for several years and thanks to the close collaboration SAP was able to provide patches for various security issues.”

Hilmar Schepp

Head of Strategic Innovation, SAP