English | Deutsch | Español

Software Imports in SAP: An Invitation for every Hacker

July 30, 2018 | From Thomas Fritsch, Virtual Forge GmbH

There is hardly anyone who would deny that the import of external transports into a SAP system is always associated with a slightly uncomfortable feeling. Usually you have to trust that the vendor of the transport is trustworthy and does not intentionally or unintentionally bring code or table contents with it that compromise or even completely undermine system security. The unnoticed manipulation or replacement of the transport order by third parties during the software delivery process is also possible. 

It is not without reason that SAP® itself has been signing its own notes for some time to protect customers from such manipulations by third parties (SAP Note 2408073).

A recent survey of leading IT decision-makers and experts published in one of the leading German magazines “Der Spiegel” shows that IT managers are mainly aware of classic attack methods such as phishing or ransomware - security problems caused by software updates, on the other hand, play a secondary role.

Security managers are often unaware of how many sources of external transport requests exist and how long the delivery chain is:


Furthermore, there is no knowledge about the specific possibilities of attacking SAP systems with malicious content or preparing them for an attack, nor the experience of how to recognize them if necessary. Some examples:

  • A SAP System can be completely deleted by a single entry in the object list of a transport request
  • Content to any tables can be infiltrated and manipulated without being visible in the transport request or recognized by the transport information system
  • There are many ways of importing ABAP code in such a way that it is either executed directly when a transport request is imported, or at a later point in time, unnoticed by an uninvolved and unsuspecting user

Anyone responsible for the security of SAP systems in companies should be aware of these risks and protect themselves accordingly. With the Security Suite as a Service, Virtual Forge offers SAP customers immediate, full protection against attacks from external transports.

Learn more.


Update: Please find more information from SAP here (SAP Note 2671160).