Assessment of SAP custom code is a must-have if you want to control stability and
security of your SAP systems. Every SAP System has vulnerabilities and even backdoors that are left
open by developers. A perfectly configured system is a result of great architecture and genius minds
combining together Vulnerability and Configuration Management, Access Control and Segregation of Duties
and of course Source code Security. Even with the latest security updates, unauthorized access to
critical information is still a possible risk. These are probable instances where developers overlook
vulnerabilities or there is a genuine possibility of backdoors injected intentionally at the source code
of ABAP, JAVA and HANA platforms.
We mix manual and automated assessment to provide the best results. We use ABAP
code review tool which is a part of ERPScan Security Monitoring Suite for SAP. After that, our team of
experts analyze reports, identify false positives and false negatives and perform manual review of the
most critical parts and execute complex manual checks which are not possible to automate. During ABAP
security code review we also take into account context of system which we analyze. Custom transactions,
user right, configuration parameters and all other things which can affect criticality of vulnerability
or probability of exploitation. At the final stage we provide custom solutions based on industry
guidelines and taking into account all system customizations and business needs.
What we do during ABAP Code Security Review?
The ABAP custom code like any other code can have vulnerabilities, allowing the
attacker unauthorized access to critical information and even change data present in the production
We review custom code according to the best-practices such as OWASP(owasp.org) and
During sap code scan we look at the typical types of vulnerabilities such as:
Apart from these typical vulnerabilities we identify ABAP-specific issues such
Insufficient authority checks;
Generic ABAP function calls;
Hardcoded authentication data;
These particular risks were analyzed by SAP, based on these results; documents were
issued narrating the basic requirements for secure application development required by SAP for ABAP and
What you will get after ABAP Code Security Review?
We check your applications source code for compliance within these mentioned
requirements as well as other existing vulnerabilities which are equally critical and suggest required
patching to rectify issues.
“We would like to thank the world-class security experts of ERPScan for the highly qualified job performed to help us assess the security of our pre-release products.”
Senior Director, Product Security, Technology and Innovation Platform SAP Labs, Palo Alto, USA