Open Close

Assessment of SAP – ERP Security


ERP SecurityERP needs no introduction and so is ERP security. However, let me start with some of the Myths & Realities about ERP security.

Some ERP Security Myths are:

  • ERP is available only internally so there are no threats from internet.
  • ERP Security is a Vendor Problem.
  • ERP application is very specific and not known to attackers.
  • ERP security is all about Segregation of Duties (SoD).

Actually the reality is:

  • ERP is not really an internal application for major organizations. A simple google search will show thousands of ERP URLs available publicly. Moreover, attacking internally is relatively easy as attacker can carry Social Engineering, gain sensitive information; launch web attacks like XSS, CSRF etc.
  • ERP security is not completely a Vendor Problem, as many of the security issues are because of implementation flaws, Misconfigurations, Human Factors, Patch Management, Policies and Processes and so on.

(Read More:  Infographics-Web Application Vulnerability Statistics)

  • ERP Security is widely talked about subject in most of the top conferences like Blackhat, RSA, DeepSec etc.
  • SoD is only one of the aspects of ERP security. As per OWASP top 9 application issues, there are various other flaws that need to be tested related to ERP Security.

As a result, it is required to perform very specific, however comprehensive, security assessment of your ERP implementation. In the following section, we will describe some of the key security areas to cover as part of ERP penetration testing to provide complete coverage and less false positives.

Key Security Assessment Areas:

Comprehensive Penetration Testing and Auditing:

  • Vulnerability assessment: Perform vulnerability assessment from various perspectives like black-box, Grey Box, White-box. It is required to verify implementation of various ERP Security Notes published.
  • Misconfiguration Auditing: Perform comprehensive auditing of Misconfiguration that may lead to security vulnerabilities
  • Verify and Audit Critical Access:  Perform  comprehensive checks related to accessing of the critical resources including web services, tables, RFC procedures and other critical objects in the system.

Free Research Report:  How secure are the Security Products?

Source code security review:

Source code auditing of ERP implementation covering the following major assessment areas:

  • Backdoors
  • Critical calls (System, DB, OS, Transactions, Tables, Reports)
  • Missing and improper authority checks
  • Performance tests
  • Obsolete statements

Verification of Segregation of Duties (SoD) Modules:

  • Critical privilege analysis (BASIS, HR, Expenditure, Inventory, industry solutions)
  • Segregation of Duties analysis
  • Role optimization
  • Predefined and custom profiles
  • CSV import/export of profiles and results

(Read More:  5 Best Practices to secure your Big Data Implementation)





  1. gynye says:

    Thanks for your valuble posting it was very informative.

  2. bharathi.B says:

    thanks for your valuable posting it was very informative.

Leave a comment

All fields marked (*) are required