Is a Security Vulnerability Lurking in your SAP Code? Probably.
Blog Security

Is a Security Vulnerability Lurking in your SAP Code? Probably.

Each SAP system has 2,151 critical vulnerabilities on average. Are your enterprise organization's SAP applications safe from a major security vulnerability?

At Virtual Forge, we have a deep knowledge and understanding of SAP security. For example, in our 2016 Business Code Quality Benchmark report, we found that for every 1,000 lines of SAP code (and there are on average 1.9 million lines of code per SAP customer system), there are 1.1 critical security flaws.

Add those up and any given enterprise organization can have a pretty big backlog of security vulnerabilities – around 2,151 per SAP system – that need to be fixed.

Unfortunately, there’s only twenty-four hours in a day and sometimes even the best of intentions can’t tackle that many security issues at once and prioritization becomes key.


Why are there so many critical security flaws in SAP applications and how can you mitigate these security vulnerability risks in your own organization’s code? For starters, these security vulnerabilities tend to happen in custom SAP code, which accounts for the vast majority of enterprise SAP applications.

Oftentimes, companies are unclear on whose responsibility it is to ensure that any security weaknesses are identified and fixed before the applications go live.

And unfortunately, many organizations fail to realize that it is, in fact, their responsibility to check for these types of security flaws. This obviously creates some pretty major security and compliance issues for companies, so let’s talk about what types of risks are the most common for SAP code.

Security and Compliance

Security and compliance vulnerabilities are usually the most immediate concerns for enterprise organizations, given the potential risks associated with cybersecurity attacks that can be used to exploit a security vulnerability within an SAP application. From our research, we identified five of the most common security and compliance code issues:

  1. Authorization Flaw
  2. Directory Traversal
  3. Direct Database Modification
  4. Cross-Client Acces
  5. Open SQL Injection

Out of a standard SAP system with an approximate 1.9 million lines of code, there are 2,197 critical security and compliance vulnerabilities.

Any one of these can have serious bottom-line repercussions on a company, but even more worrisome is that out of those 2,197 security issues, 16 are so severe that they can result in a total system compromise if just one of those vulnerabilities is exploited by a hacker.

We’re talking about an outsider gaining full access to all sensitive business data from exploiting just one of these 16 severe security issues.

Even worse, we found a high probability of backdoors in SAP systems, with 68% of them lacking proper authority checks.

Cybersecurity is fast becoming one of the primary focuses for enterprise organizations – and not just within the IT department.

The rash of high-profile cybersecurity attacks over the past year has brought this issue to the forefront with the C-Suite and the Board of Directors, many of whom are beginning to better understand the risks involved with not investing in IT security, improved IT infrastructure, and SAP application security.

Unfortunately, many organizations still have a long way to go when it comes to improving SAP code quality. 


About the author

E-3 Magazine

Articles published through E-3 Magazine International. This includes press releases by our partners as well as articles and reports from the E-3 team of journalists.

Add Comment

Click here to post a comment

Social Media

Sign up for e3zine´s biweekly newsbites

Please do not use administrative mail adresses like "noreply@..", "admin@.." or similar as these may get blocked for security reasons.

We use rapidmail for dispatching our newsletter. By signing up, you agree that the data you have entered will be transmitted to rapidmail. Please take note of their terms and conditions and privacy policy. terms and conditions .

Our Authors