SAP Security Audit

 

An SAP Security Audit is a structured evaluation of SAP systems (such as ECC, S/4HANA, or SAP Business Suite) to identify vulnerabilities, misconfigurations, excessive privileges, and compliance issues. SAP systems are critical to enterprise operations and are frequent targets due to their deep access to finance, HR, logistics, and customer data.

📋 SAP Security Audit Checklist (in Table Format)

#

Audit Area

Control / Audit Focus

Evidence / Method

1

User Management

Unused or default SAP users (e.g., SAP*, DDIC) are locked and monitored

SUIM reports, user listing

2

Password Policies

Enforce strong password rules (min length, complexity, expiration)

Profile parameter check: login/*

3

User Authorization Review

Role-based access control (RBAC); check for SoD (Segregation of Duties) conflicts

SUIM – Roles & Authorization analysis

4

Sensitive Transactions

Monitor use of critical T-codes (e.g., SE11, SE16, SU01, SM59, SCC4)

Audit logs, transaction usage reports

5

Audit Logging

Ensure logging is enabled for config changes, logins, user actions

SM19/SM20 (Security Audit Log)

6

RFC Connections

Validate secure configuration of RFC destinations and restrict trusted systems

SM59 config, RFC connection list

7

Transport Management

Controls on SAP transports to prevent unauthorized code/config movement

STMS logs, table TPALOG, change requests audit

8

SAP_ALL / SAP_NEW Roles

Users with powerful composite roles like SAP_ALL are identified and reviewed

SUIM – Users by Profile

9

Basis Security Parameters

Validate key parameters (e.g., rfc/call_check, auth/*, login/*, etc.)

RZ11 parameter dump

10

Custom ABAP Code Review

Scan custom programs for hardcoded credentials, insecure logic, or SQL injections

Code inspector (SCI), ATC checks

11

Interface Security

Secured integrations (IDOCs, PI/PO, Web Services) with encryption and auth

PI/PO logs, SM59, STRUST

12

Table Access

Check for direct access to sensitive tables (e.g., USR02, PA0001, BUT000)

ST03N, SUIM – Tables accessed

13

Client Settings

Verify SCC4 and client settings: no modifiable clients in production

SCC4 configuration snapshot

14

Change Logging

Enable and monitor change logs for config tables (e.g., T000, USR*)

SCU3 logs

15

Patch Management

SAP kernel and support packs up to date

SPAM/SAINT version reports

16

SSO & Authentication Integrations

Integration with Active Directory, SAML, 2FA

STRUST certificates, SSO log config

17

Encryption & TLS

Ensure TLS is used for SAP GUI, Web Dispatcher, PI, and RFC

STRUST, SMICM, ICM logs

18

Segregation of Duties (SoD)

Conflict matrix check (e.g., posting & approval in finance, user creation & role assign)

GRC AC, manual SoD matrix or third-party tool (e.g., ERPScan)

19

Background Jobs Security

Validate job ownership, authorization, and contents of critical jobs

SM37 job list, SM36 config

20

SAProuter & External Access

Secure saprouter config and avoid direct external access

saprouter logs, port scan, firewall check

🛠 Common SAP Security Audit Tools

Tool

Use

SAP GRC (Access Control)

SoD, Role simulation, User provisioning audits

SUIM

Role/user/authorization analysis

SCI / ATC

Static code analysis for ABAP

SM20 / SM19

View and configure audit logs

ERPScan / Onapsis

Vulnerability scanning and compliance audits

Solution Manager

Change control, diagnostics

📁 Deliverables of a SAP Security Audit

Document

Description

SAP Security Audit Report

Comprehensive overview of findings across modules and systems

Critical Users and Roles List

List of users with high privileges and roles

Risk Matrix (SoD)

Overview of segregation of duties conflicts

Transport/System Change Review

Analysis of unauthorized changes or code movement

ABAP Custom Code Issues

List of security flaws in custom code (e.g., SQLi, auth gaps)

Remediation Plan

Detailed technical and procedural fixes for each finding

🛡 Related Standards & Compliance

  • SAP Security Baseline (SAP Note 2253549)
  • NIST 800-53 (mapping via GRC tools)
  • ISO 27001: A.9, A.12, A.13 (access, logging, cryptography)
  • SOX (financial system controls)
  • GDPR (personal data handling in SAP HCM or CRM modules)
  • DSAG / SAP Security Guidelines

Would you like a sample SAP security audit report, or help automating the audit with tools like GRC AC or ERPScan?

 

Comments

Post a Comment

Popular posts from this blog

GNCIPL_AI/ML & DATA SCIENCE PROJECTS

 GNCIPL/AI/ML/DSC/032025/0001 There are various exciting and innovative projects under the fields of Artificial Intelligence (AI) , Machine Learning (ML) , and Data Science . These projects can span across industries, such as healthcare, finance, education, and technology. Below is a list of some interesting projects that fall under these domains: AI/ML and Data Science Projects 1. Image Classification and Recognition Project : Image Recognition using Convolutional Neural Networks (CNNs) Description : Build a model to classify images into different categories (e.g., detecting objects, animals, etc.). Tech : CNNs, TensorFlow, Keras, PyTorch Applications : Medical image analysis, self-driving cars, facial recognition. 2. Sentiment Analysis Project : Sentiment Analysis on Social Media Data Description : Analyze text data from social media platforms (e.g., Twitter, Reddit) to determine the sentiment of user posts (positive, negative, or neutral). Tech : Natural L...
Read more

Reverse engineering

  Reverse engineering is the process of analyzing software, hardware, or systems to understand their design, structure, and functionality—often without access to the original source code or documentation. It’s commonly used for security assessments, vulnerability research, malware analysis, compatibility testing, and recovering lost documentation. 🧩 Reverse Engineering – Overview Aspect Details Objective Understand how a product works (code, protocol, or hardware) Applications Malware analysis, binary auditing, protocol decoding, IP theft investigations, legacy recovery Targets Software binaries, mobile apps (APK/IPA), firmware, drivers, network protocols, microcontrollers Legality Varies by jurisdiction (e.g., DMCA exemptions in the U.S. for security research) 🛠 Tools for Reverse Engineering Tool Purpos...
Read more

Detailed Services we are offering in Audit, Compliance, Consulting, Security Operations, Technical Testing, Training, and Specialized Services:

  Audit, Compliance, Consulting, Security Operations, Technical Testing, Training, and Specialized Services : 🔍 1. Security & Technical Audits Service Description Network Security Audit Assess security posture of routers, firewalls, switches, and segmentation Web Application Security Audit Test for OWASP Top 10, business logic flaws, session & input handling Wireless Security Audit Review Wi-Fi encryption, rogue access points, and signal leakage Mobile Application Security Audit Analyze Android/iOS apps for insecure storage, traffic, authentication Thick Client Application Security Audit Audit desktop apps for memory handling, API misuse, and local privilege escalation API Security Audit Review authentication, rate limiting, data exposure, and abuse risks Microservice Security Au...
Read more