What Is SAP Security? A Definitive Guide for 2025

SAP security is the comprehensive practice of protecting SAP applications, data, and the business processes they support from unauthorized access and cyber threats. Because SAP systems house an organization’s most business-critical information, including financial, customer, and HR data, ensuring that they’re properly secured is of the utmost importance. A strong SAP application security strategy is built on three core pillars: proactive vulnerability management for security and compliance, continuous security monitoring and proactive threat detection and response, and custom code security testing. By combining secure configurations, continuous monitoring, and automated compliance, organizations that focus in these three areas are finding great success in protecting their SAP landscapes from data breaches, potential fraud, and operational disruption or downtime.

Why SAP Security Is a C-Suite Priority 

SAP is the backbone of the world’s largest enterprises. These systems are not just another application; they are the operational engine for everything from financial reporting and supply chain management to HR payroll. According to SAP’s own corporate facts, the scale of its integration into the global economy is staggering:

• SAP customers include 92% of the Forbes Global 2000.
• 77% of the world’s transaction revenue touches an SAP system.
• Over 1,000 government and defense organizations worldwide rely on SAP for mission-critical operations.

This critical infrastructure is more frequently a target of sophisticated attacks, and, due to the sophistication of attack and proficiency of threat actors, the window for defenders has shrunk dramatically. Threat intelligence from the Onapsis Research Labs, also highlighted by CISA and featured in publications like The Record, shows that new SAP vulnerabilities can be weaponized in less than 72 hours after a patch is released. In stark contrast, Onapsis and other sources note that it can take enterprises anywhere from 60-90 days, on average, to identify, apply, test, deploy, and validate that same patch. This Defender’s Gap, combined with the fact that new, unprotected SAP applications in the cloud can be compromised in under three hours, means the risk has never been higher.

This speed and scale mean a breach in your SAP systems doesn’t just represent a data leak; it can lead to catastrophic business outcomes that command boardroom attention:

• Operational Disruption: A targeted attack could halt manufacturing lines, disrupt supply chains, or shut down financial operations, costing millions per day.
• Financial Fraud: Threat actors can target unsecured SAP systems to manipulate financial transactions, alter banking details, or commit large-scale fraud.
• Compliance Failure: Regulations like SOX, GDPR, and the EU’s NIS2 directive mandate strict controls over the data in your SAP systems. A failure to comply can result in steep fines and reputational damage.
• Data Breaches: Your SAP applications contain the “crown jewels,” which include employee PII, sensitive customer data, and intellectual property. A compromise can lead to significant financial and reputational loss.

Because of these high stakes, treating SAP security as just “segregation of duties” or an access control task would be a critical mistake. This is a core business-critical risk that demands a strategic, top-down approach.

Understanding the Layers of SAP Security 

As detailed in the definitive guide, Cybersecurity for SAP, by Onapsis CTO Juan Perez-Etchegoyen and Gaurav Singh, SAP cybersecurity manager at Under Armour, a truly resilient defense is a multi-layered discipline that involves protecting every component of the technology stack that SAP runs on. Securing your “crown jewel” applications isn’t just about the software itself; it involves protecting every component that supports it.

While the specific layers can be complex, a holistic strategy generally includes (but is by no means limited to) the following familiar key domains:

• Network Security: This involves securing the communication paths to and from your SAP systems. It includes implementing firewalls, segmenting networks to isolate critical systems, and securing protocols like RFC that SAP uses for communication.
• Operating System (OS) and Database Security: This layer focuses on hardening the underlying infrastructure that your SAP applications run on. It includes securing the operating systems (like Linux or Windows) and databases (like HANA or Oracle) through regular patching, secure configuration, and strict access controls.
• Physical Security: This layer involves protecting the physical data centers and servers where your SAP systems are housed from unauthorized access or environmental threats.

Each of these layers plays an important part of a defense-in-depth strategy. Interestingly enough, there is frequently one area that is often underestimated and underappreciated (and underinvested!): the application layer itself. This is the layer where your business processes run, where your critical data lives, and where an attack could have the most direct and devastating impact on the business. Securing the perimeter is important, but if the application at the center is vulnerable, your entire strategy is at risk. The following sections will revisit those initial three pillars of building a robust SAP Application Security program.

The Three Pillars of a Modern SAP Application Security Strategy 

A comprehensive SAP security strategy goes far beyond basic access controls. It requires a continuous, proactive approach built on three essential pillars. This framework helps organize the complex task of securing the application layer into a logical, manageable process.

Pillar 1: Proactive Vulnerability Management 

All software has flaws. ERP software and applications, such as those provided by SAP are no exception. This pillar is about proactively identifying security and compliance issues and prioritizing mitigation and response  across your entire SAP landscape before these issues can be exploited. Areas to target include

• Secure Configurations: Harden your SAP applications. This is the foundation. Apply security best practices to your application layer – including your HANA databases. Establish a security baseline and continuously assess your systems against it to prevent configuration drift.
• Patch Management: SAP releases Security Notes regularly, but knowing which ones are relevant to your landscapes – let alone those that may be actively exploited in the wild –  as well as validating their complete implementation (including manual workarounds and configs) are  massive, manual challenges. Modern security platforms centralize all activities related to patching, providing deep insights into SAP Note applications and, crucially, automatically validating that all patches were applied correctly, including those requiring manual configurations.
• Custom Code Analysis: Nearly every SAP system contains custom code, which can be a major source of vulnerabilities, especially if not regularly maintained. Further, with AI-enabled code development, it’s even more likely that insecure code could find its way into production environments. Additionally, even if code is secured before transported into production, there’s no guarantee that it remains secure as more and more sophisticated threat actors and ransomware groups seek to exploit vulnerable SAP code in production environments.

Pillar 2: Continuous Security Monitoring for Threat Detection & Response 

Both the quantity and the sophistication of attacks on vulnerable SAP systems continue to grow exponentially as more well-funded ransomware groups and state-sponsored entities directly target SAP landscapes.  With this rapidly evolving threat landscape, it’s critical to ensure your teams are identifying and mitigating malicious activity and exploitation as quickly as realistically possible. Continuous threat monitoring fueled by threat intelligence from SAP cybersecurity experts who are able to provide deep insights is a requirement for modern SAP cybersecurity. 

• Continuous Threat Monitoring: This involves implementing a robust solution to monitor for indicators of compromise, unusual user behavior (both insider and external), exploitation attempts, and more. The most effective monitoring remains separate from SAP instances in order to preserve appropriate security and compliance segregation of duties, leverages a deep understanding of the SAP threat landscape, and is powered by up-to-the-minute, impactful threat intelligence from a full team of experts like the Onapsis Research Labs.
• SOC/SIEM Integration: SAP has historically been a black box for security teams. A modern strategy requires integrating SAP security alerts into your central Security Operations Center (SOC) and SIEM (e.g., Splunk, Sentinel). This gives your security analysts the complete visibility they need to correlate threats across the entire enterprise.
• Focused SAP Incident Response: When a threat is detected, you need a well-defined plan to contain the damage and remediate the issue. Security solutions that provide contextual alerts, which explain the business risk and potential impact, can dramatically accelerate root cause analysis and improve incident response times.
• SAP BTP Monitoring: As organizations expand to the cloud, monitoring the SAP Business Technology Platform (BTP) for threats is becoming more essential. This requires the ability to create custom, flexible security controls and alerts that are tailored to your specific use cases and risk tolerance for BTP.

Pillar 3: Custom Code Security Testing 

While the first two pillars have focused on cybersecurity for your productive SAP landscapes, this third pillar is all about ensuring that your code is secure and compliant to begin with, before it even gets deployed to productive systems. It’s significantly easier and better to enforce security and compliance best practices during development and QA stages of application development before the code is actually processed, transported, and deployed to PRD.

• Secure Development (DevSecOps): This involves “shifting left” to embed security into your application development lifecycle .By automatically scanning custom ABAP code and transports for security, compliance, and performance issues before they move to production, you can prevent vulnerabilities from ever reaching your critical systems. This is especially important for modern development on platforms like SAP BTP.
• Security at Every Stage: Each stage of SAP application development is important, and there are opportunities during each and every stage for security issues, compliance errors, and more to sneak through into production. Ensuring you have application security testing capabilities broadly deployed and working in conjunction across and throughout your software change management processes is crucial to success.
• Don’t Reinvent the Wheel: Your team uses the best of the best in its development tech stack – from IDEs like VS Code, Business Application Studio in BTP, and Eclipse to CI/CD platforms such as Azure Pipeline and SAP CI/CD. Having security testing software that integrates wholly into the tools your team is already using offers huge advantages

Essential SAP Security Best Practices: A Checklist 

While SAP security can be complex, building a strong defense doesn’t have to be. Focusing on a set of core best practices provides a powerful foundation for protecting your business-critical applications. Use this checklist to gauge the maturity of your current strategy.

• Continuously Assess Your Attack Surface: Don’t rely on periodic audits. Implement a continuous program for managing vulnerabilities, checking for misconfigurations, and analyzing custom code to get a complete and up-to-date picture of your risk posture.
• Automate and Validate Patch Management: Move beyond slow, manual patching processes. Automate the identification of missing patches and, most importantly, validate that they were implemented correctly, including any required manual steps. This closes the window of exposure and ensures vulnerabilities are truly remediated.
• Integrate SAP Threat Monitoring with Your SOC: Break down the silo between your SAP and security teams. Feed critical SAP threat alerts and security events into SIEMs like Microsoft Sentinel for SAP, CrowdStrike, Splunk, and more. This provides your security analysts with the critical visibility they need to detect and respond to attacks that cross enterprise and application environments.
• Secure Your Custom Code Development Lifecycle: Embed automated security scanning directly into your development and change management processes. By “shifting left,” you can find and fix vulnerabilities in custom ABAP code and transports before they ever reach production, which is more secure and cost-effective.
• Enforce Strict Access Controls and SoD Policies: Regularly scan for misauthorizations or privilege creep to ensure that user roles, authorizations, and Segregation of Duties (SoD) policies are properly configured. This will help prevent both internal and external threats from gaining excessive access allowing them to potentially do harm inside your critical systems.
• Leverage Expert Threat Intelligence: Don’t wait for an attack to learn about a new threat. Incorporate threat intelligence from experts who specialize in business-critical applications. This ensures your defenses are prepared for the latest tactics, techniques, and procedures (TTPs) being used by threat actors targeting SAP.

How The Onapsis Platform Delivers Comprehensive SAP Application Security 

Understanding the pillars of a strong SAP application security strategy is the first step. The next is implementing them in a way that’s effective, automated, and integrated. The Onapsis Platform is the only solution fully endorsed by SAP itself that delivers a single, comprehensive security and compliance solution built to protect your most business-critical applications.

Powered by the industry-leading threat intelligence from the Onapsis Research Labs, our platform provides deeper visibility and time-saving automation needed to make securing your entire SAP landscape, including modern RISE with SAP and S/4HANA transformations, streamlined and easy.

(Image: A visual of the Onapsis interface)

Onapsis Assess 

Onapsis Assess provides comprehensive vulnerability management that aligns IT and security teams with the visibility and context they need to act on the greatest risks to the business. It empowers you to:

• Gain deep visibility into your application landscape and establish a security baseline and track your security progress over time with our AI-driven Security Advisor.
• Streamline patching with the SAP Notes Command Center, which centralizes patch-related activities and automatically validates that fixes were correctly applied, including any required manual steps.
• Automate assessments and prioritize remediation with detailed descriptions of business impact and step-by-step instructions.
• Leverage Onapsis-maintained compliance packages (e.g., for Sarbanes-Oxley, NIST, ISO, GDPR, PCI DSS, and more) to transform Assess into an audit and compliance engine that eliminates time-consuming audit work and automates evidence collection for you.

Onapsis Defend 

Onapsis Defend delivers continuous threat monitoring, detection, and response tailored for SAP applications. It helps eliminate the SAP security silo and enables your SOC to:

• Continuously monitor for over 2,500 threat indicators and suspicious behavior, including zero-day threats, based on real-time intelligence from the Onapsis Research Labs.
• Receive critical alerts on security issues discovered by the Onapsis Research Labs automatically before SAP releases Security Notes.
• Seamlessly integrate with best-in-class SIEMs to give your security analysts the context they need to accelerate incident response.
• Proactively address the most dangerous exploits with Rapid Controls, which allow you to monitor for threats targeting a specific vulnerability right from your scan results.
• Extend its application security and compliance monitoring reach into SAP Business Technology Platform (BTP) and RISE with SAP environments
• Fully customize more bespoke threat monitoring with our Alert on Anything capabilities.

Onapsis Control 

Onapsis Control embeds application security testing into your development and change management processes, enabling you to “shift left” and fix issues before they reach production. With Control, you can:

• Automatically review custom code and transports for security, performance, and compliance issues, complete with inline spell-checks for developers and automatic remediation for common code errors.
• Integrate security into your existing integrated development environments (IDEs), change management systems, Git repositories, and modern CI/CD operations  to both better secure and accelerate code project delivery.
• Secure modern development on the SAP Business Technology Platform (BTP) by ensuring custom applications are secure and compliant throughout the entire lifecycle.

Frequently Asked Questions (FAQ) 

Here are answers to some of the most common questions we hear about SAP security.