English | Deutsch | Español

SAP Security Today: 5 Challenges for CIOs (Part 2)

March 19, 2019 | From Caroline Neuber, Virtual Forge GmbH

Successful Formula to SAP Security

Based on the C-level challenges described in Part 1, this section provides you with recommendations for action. Based on our many years of experience, we can present you with proven methods that make it possible to sustainably protect the SAP landscape in your company.Erfolgsrezept_web

Embedding Security and Compliance through the Company

For a successful security concept, it is important that all areas in the company share the same understanding. Security mechanisms should be interdependent and should not stop at departmental boundaries. With regard to the "Three Lines of Defense" model, communication between departments must be promoted.

In concrete terms, this means that the operational SAP department must be enabled to check code for vulnerabilities with little effort and to subject configurations to an endurance test. Suitable tools must also be available for transport management to enable those responsible to routinely check transports for possible sources of error.

The IT security department must be able to obtain a strategic overview of the controls. With the help of Security Information and Event Management (SIEM) solutions, real-time analyses of anomalies can be created, and corresponding security alarms triggered as soon as a security incident occurs. This gives the security team the ability to contact the SAP department to discuss the criticality and need for risk mitigation. 

Continuous reports with detailed explanations of vulnerabilities, business impacts, and actions help Internal Audit proactively understand the risk to the application and draw the right conclusions. The exchange with the responsible SAP department can now take place at eye level.

The CIO himself gains more transparency about the actual security level of his company through the empowerment of the individual departments and improved communication between the departments. This means he is in the loop when critical situations arise and can act quickly.  

In addition to enabling the three departments, it is also important to create awareness that "Security & Compliance" is not a flash in the pan. The goal should be to continuously implement a security strategy. A proven procedure consists of three steps: The inventory, the elimination of critical weaknesses and the establishment of long-term security measures to ensure that no new security risks are introduced into the systems in the future.


To implement a holistic security strategy, it is necessary to use automated tools. The complexity of the SAP landscape is too high to guarantee an adequate security level with manual techniques. Checking tens of thousands of lines of code would take weeks or even months, with the level of concentration and expertise varying from employee to employee. The change of system configurations would not be noticed ad hoc by anyone and the majority would remain unrecognized during the analysis of the interfaces. Quality defects and high costs result, which are caused by the enormous expenditure of time.

Automated solutions offer many advantages:

  • Lower error rates
  • Efficient use of resources
  • Integration with standard processes
  • Uniform logging and reporting
  • Constant safety level
  • Fast response times through monitoring and alerting

Integrating Security Mechanisms into the Development Process

In order to secure the company's future and the long-term minimization of risks in a volatile environment, security mechanisms should be integrated into the development process at an early stage. Vulnerabilities can be eliminated at an early stage and do not represent a security risk. Developers are also enabled to map processes consistently and recurrently.

The integration of the security aspect into the close cooperation between development and operations is called DevSecOps. Here it is important that in addition to the functional protection components, such as authorizations and encryption, technical aspects are also taken into account that include common security standards in the development right from the start.

It is recommended to use testing tools in every phase of the software product lifecycle that are integrated directly into the DevOps environment and guarantee a high degree of automation.

Whatever security tools a company chooses: It is important that the individual components can be seamlessly integrated and coupled with each other so that information breaks do not occur. Otherwise, there is a danger that the overview will quickly be lost and existing error or defect lists will be overlooked.

Identifying and Acting on Security Requirements

An SAP vulnerability analysis can provide an almost instantaneous summary of your current risk situation. This includes an assessment of the consequences of each weakness, including the losses it could cause and the likelihood of this occurring.

The Virtual Forge vulnerability analysis service offers a fast, simple and holistic way to evaluate an SAP system. The security checks involved cover system configurations, customer-specific code, basic authorizations and transports (including corresponding histories).

The results are analyzed and explained by experienced SAP security consultants and the vulnerabilities found are presented in a clearly structured PDF report. These findings include a detailed description of our code metric, which is based on the benchmark we have derived in analyzing over 350 SAP systems globally.

Understand Your Risk!

Read part I of the blog get to know the challenges!

Picture: www.freepik.com

Topics: UnderstandYourRisk