CYBSEC has been working and advising in
SAP security issues since 2001, under UNIX, Windows and AS/400
platforms. As from 2005, they show an intense activity in
the detection of vulnerabilities and have made significant
contributions towards their solution.
In 2007, CYSEC began to work directly with
SAP Ag Germany, establishing a fluent and highly constructive
contact with security areas.
Following is a description of SAP system security related
services rendered by CYBSEC:
1. Design of SAP architecture
within a secure environment
The object of this service is to design or re-design the
architecture of SAP with the highest security level possible.
This service is focused on defining security in the network
topology of SAP components (SAP Applications Servers, Database
Servers, Administrators and Final Users).
It covers the development of a secure network scheme and
the security measures to be adopted: Firewalls, DMZs, Encryption,
applications Firewalls, Operating system security, Database
security and SAP security, among others.
2. SAP Internal security configuration
This service provides Organizations with the necessary advise to specify the internal security level they expect for their SAP applications.
Among others, various aspects taken into consideration are:
- Security of implemented SAP version and modules.
- Hot Packages installed.
- Definition and distribution of Clients.
- Password parameters.
- Ability to alter Systems and clients.
- Default users password.
- Users with unlimited transaction access.
- Existence of blocked transactions.
- Access to sensitive transactions.
- Modification of system parameters and profiles.
- Workbench Organizer Configuration.
- Transport system access.
- Table editing.
- Users access level to software.
- Existence of transportation order logs
- Use of SAP*, SAPCPIC, Earlwatch.
- Use of SAP_ALL, SAP_NEW profiles.
CYBSEC shall apply all the security measures
necessary to achieve the highest security level.
3. SAP Infrastructure assurance
This service is aimed at reaching the highest security level
possible along the entire infrastructure supported by SAP:
Operating System, Database, SAP Application, Interfaces and
CYBSEC will assist in the implementation
of the security measures needed to reach the highest security
In order to ensure the security level of the operating system
we work at: security configurations; audit logs; users, access
passwords and profiles; permissions to critical directories,
installed patches, security of enabled services, among others.
For database security purposes, we work with computer security
patches, database auditing, permissions in Database directories
and files, analyses of the Database owner, default passwords
and specific database security parameters, among others.
For SAP Application assurance, we work in each of the aspects
mentioned in item 2, SAP Internal security configuration and
Existing interfaces (strong encryption, authentication, etc.)
with other external systems providing or receiving SAP are
We work on secure access on SAP users’ and administrators’
The outcome of this service will be the operation of SAP
with the highest security level possible.
4. Security compliance audits (SOX, PCI e ISO 27001)
These are aimed at assessing and determining the current
and actual security level of SAP infrastructure, applying
security auditing techniques. To complement the audits, a
GAP analysis regarding regulations such as SOX, PCI* and ISO
27001 can be conducted.
The audit consists of:
- Security review of the operating system, data base and
- Security analysis of SAP parametrization.
- Security analysis of connectivity to external systems.
- Analysis of defined users and profiles
As an outcome, companies who are SAP users will have objective information about their own security level available.
The GAP analysis allows you to assess the fulfilment levels to the international regulations on the matter.
* CYBSEC is a Qualified Security Advisor
certified by the PCI Council. Click
here for further information
5. Revision and assurance of Web Services (Enterprise Portal/ICM/ITS/BC/Applications)
In its continuous evolution, SAP, through the use of tools
such as ITS and Business Connector, allows systems to be available
from outside with the subsequent increase in the risk level.
CYBSEC experts assess the actual security
level of the implementation of tools for external access to
SAP through the Web establishing existing vulnerabilities,
bringing forward and implementing alternatives to address
them so as to increase their security level to the utmost.
Our work covers the assessment of network topology, the analysis
of the current operating system and web server security. The
security level of the implemented tools (ITS, Business Connector,
etc), and the interconnection with the internal SAP system
are assessed as well.
This service will result in the Organization having a secure
use of remote functionalities at their disposal.
6. Analysis, design and implementation of secure interfaces
Interfaces meant for sending and receiving information have
always been the Achilles’ heel of a system’s security.
The object of this service is to make available secure interfaces
among the several systems that operate with SAP.
CYBSEC can develop a secure interface model
taking into account data encryption, authentication between
the involved parties, the interface internal security and
its secure programming, among others.
The secure model developed is applied to the existing interfaces.
7. SAP Penetration Testing
This is aimed at having an objective external assessment
on the actual security level in SAP infrastructure.
In order to carry out this test, CYBSEC
experts will connect to the external network without having
any kind of information available, and will try to access
the systems supporting SAP infrastructure (base operating
systems, databases, application servers, etc.).
This methodology allows us to determine the actual security
level and rapidly detect security risks so as to move towards
8. Course on SAP Security
CYBSEC has designed a course on SAP Security,
in which their experts share their experience regarding SAP
The course can be given in two forms: theoretical learning (8 hours) or practical training (16 hours)
Subjects for discussion are:
Computer Security Fundamentals in SAP.
Operating System Security ( Windows / UNIX ).
Database Security ( MS SQL Server / Oracle ).
Basic Security Concepts in SAP R/3.
SAP R/3: Transport System Security .
SAP R/3: User and Authentication Administration.
SAP R/3: Communications security.
SAP R/3: Security in connectivity.
SAP R/3: System Updating.
Log Analysis and Audit.
Click here to see the subjects in detail.
If you wish to contact us, please send an e-mail to Claudia
or call us at 54-11-4371-4444.