CONTACT AN SAP EXPERT
Search
CONTACT AN SAP EXPERT

SAP Cybersecurity 101: Understanding the Basics

By: JP Perez-Etchegoyen
March 19, 2025

SAP systems are the backbone of many large enterprises, handling critical processes like finance, treasury, supply chain, and human resources. This makes them prime targets for cyberattacks. Understanding the basics of SAP cybersecurity is crucial for protecting your organization’s sensitive data and ensuring business continuity. This article will break down essential concepts without assuming any prior security knowledge.

Why SAP Systems Are Targets

Imagine a safe containing all your company’s most valuable assets. That’s essentially what an SAP system is. It holds financial data (revenue, expenses, and sensitive financial records), customer information (personal details, purchase history), intellectual property (trade secrets, formulas, and proprietary information) and operational data (supply chain details, manufacturing plans, and logistics) to name a few.

A successful attack on an SAP system can lead to multiple consequences, all of them extremely negative to the organization:

  • Financial losses: through financial fraud among other attacks that can lead to significant losses.
  • Data breaches and regulatory penalties: due to data loss, as in most cases regulations require organizations to protect data hosted in these applications.
  • Operational disruptions: which could in most cases be the most critical attack to organizations, because of the loss of business.
  • Reputational damage: which is hard to quantify but it is significant in the case of an open and disclosed data breach.

Therefore, securing these systems is not just a technical issue; it’s a business imperative.

Fundamental Cybersecurity Concepts

Let’s explore some key concepts that are essential for SAP cybersecurity:

Authentication: 

This is the process of verifying an application user’s identity. In SAP, this typically involves usernames, client numbers and passwords. 

Strong passwords and multi-factor authentication (MFA) are crucial to prevent unauthorized access in case of passwords being compromised. MFA adds an extra layer of security, requiring users to provide multiple forms of identification, such as a code from a mobile app or an sms message. 

Authentication has to be enforced across multiple layers in SAP Applications due to the complexity of the technology and services that support its operations.

Key Aspects of Authentication in SAP

  • User Credentials: Typically consist of a username, client number, and password.
  • Multi-Factor Authentication (MFA): Adds extra security by requiring an additional verification step.
  • Layered Enforcement: Authentication controls must be applied across various SAP applications and services.

Why Strong Authentication Matters

  • Prevents unauthorized access to sensitive data.
  • Reduces the risk of credential-based attacks.
  • Ensures compliance with security and regulatory standards.

Authorization: 

Once a user is authenticated, the application needs to restrict access to only the actions and data that the user should access based on the job he is expected to do. 

Basically, authorization determines what users are allowed to do. In SAP, this is managed through roles and authorizations. Properly configured authorizations ensure that users only have access to the data and functions they need for their job. This principle, known as “least privilege,” is fundamental to security. 

As this is such a complex task, in some cases administrators provide more authorizations than the ones that users really need, which could ultimately become a big problem not only from a security perspective but also from a compliance perspective.

Key Aspects of Authorization in SAP

  • Roles and Authorizations: Define which actions a user can perform.
  • Least Privilege Principle: Ensures users have only the minimum access necessary.
  • Complexity Challenges: Admins sometimes over-provision users, leading to security gaps.

Why Proper Authorization Matters

  • Prevents unauthorized access to sensitive business functions.
  • Reduces insider threats by limiting unnecessary privileges.
  • Ensures compliance with security policies and industry regulations.

Segregation of Duties (SoD): 

Related to both the concepts of users and authorizations, this is a principle well known in the audit community. This principle ensures that no single individual has complete control over a critical business process. It prevents fraud and errors by dividing responsibilities among multiple people. 

In SAP, SoD conflicts can arise if users have conflicting permissions. ImaginRegular SoD checks are essential. 

One example of an SoD violation is a user having access to both vendor and payment processing. If a user has the authorization to:

  • Create or modify vendor master data (e.g., change bank details)
  • Create and approve purchase orders
  • Process vendor payments

Then this user could create a fictitious vendor, enter their own bank account details, create a purchase order for that vendor, and then process the payment—effectively stealing company funds.

That is just one example of hundreds of possible SoD violations that could appear in an SAP application.

Patch Management: 

SAP, as many other software vendors, regularly release patches to fix security vulnerabilities. It actually happens the second Tuesday of every month, releasing approximately between 20 and 40 security patches. 

Applying these patches promptly is crucial for protecting SAP systems from active exploitation and abuse of these security vulnerabilities. Examples of these vulnerabilities can be found on CVEs such as CVE-2020-6287 and CVE-2020-6207.

Stay up to date with SAP security patches—each month, Onapsis provides a comprehensive analysis of the latest SAP Security Notes and their impact. Visit our SAP Patch Day archive for expert insights and actionable recommendations.

Logging and Monitoring: 

Having the right level of visibility on what happens across SAP applications is important to identify potentially risky scenarios such as exploitation of security vulnerabilities or unauthorized access to certain functionalities across SAP. Enabling logs and monitoring them is essential for detecting suspicious behavior. Different logs in SAP record who accessed what, when, and from where. Monitoring tools can alert you to unusual patterns, such as multiple failed login attempts or unauthorized access to sensitive data. Given the complexity of SAP applications, there are multiple logs we need to review and monitor to gain a more comprehensive understanding of the actions that take place in the system. Some examples of these logs are: Security Audit Log, Change Documents, and Gateway Log to name a few.

The Importance of Basic Hygiene

Regardless of where you are in the process of securing SAP applications, it is important to consider basic cybersecurity hygiene across your SAP landscape.

Strong Passwords:

 Encourage users to create and use strong, unique passwords. This can be enforced through several configurations across SAP, or external to SAP if you use single sign on. If passwords are configured locally for users across multiple SAP applications, it is important to configure different ones, so if a user password is compromised (through cracking or InfoStealers) that password cannot be used to move laterally across your SAP landscape and further compromise other systems. 

Disable standard users: 

Block or change passwords of standard users with well-known default passwords.

Enforce secure configurations: 

Identify and secure system configurations according to best practices and standards. Given the sheer number of parameters and configurations that can be set in an SAP application, it is important to prioritize these changes accordingly.

User Training:

 Educate users about cybersecurity threats and best practices. One way you can help your SAP users increase their awareness of cybersecurity in SAP is through the recently released Cybersecurity for SAP | Book and E-Book – by SAP PRESS

Network Security:

 The attack surface of SAP applications is significant, due to the technology that serves these applications. The interconnectedness nature of SAP business process further increases the potential attack surface. To reduce the attack surface, properly configure firewalls and network security devices to protect your SAP systems from external threats, avoiding exposing services and applications to users and networks that do not require access to them.

Conclusion

Securing SAP applications can feel overwhelming, but by understanding the basics and implementing fundamental security measures, you can significantly reduce your organization’s risk. Prioritizing tasks such as secure authentication, strong authorization, and good hygiene practices is the first step towards securing your critical SAP systems.

Remember, cybersecurity is not a one-off exercise but a continuous process. If you need help from the experts, Onapsis is here to help.

Tags
Onapsis Research Labs patch management SAP Security
About the Author
JP Perez-Etchegoyen
As CTO, JP leads the innovation team that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. JP helps manage the development of new products as well as support the ERP cybersecurity research efforts that have garnered critical acclaim for the Onapsis Research Labs. JP is regularly invited to speak and host trainings at global industry conferences, including Black Hat, HackInTheBox, AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his professional career, JP has led many Information Security consultancy projects for some of the world's biggest companies around the globe in the fields of penetration and web application testing, vulnerability research, cybersecurity infosec auditing/standards, vulnerability research and more.
More about this author
Back to Blog
Further Reading
SAP’s Clean Core Approach: Security, Compliance & How Onapsis Helps
Ensure strong SAP BTP security while enabling innovation. Learn how to manage shared security responsibilities, mitigate...
Read More
Securing SAP BTP - The Foundations: Empowering the Business without Sacrificing Security
Ensure strong SAP BTP security while enabling innovation. Learn how to manage shared security responsibilities, mitigate...
Read More
SAP Patch Day: March 2025
Twenty-five new and updated SAP security patches released, including five High Priority Notes.
Read More

Sitemap  | Terms of Use | Privacy Policy   |  Quality Policy  |  Disclosure PolicySecurity Vulnerability Reporting Guidelines |  ©2025 Onapsis  |  All rights reserved