Do you cover SoD conflict mining?

Yes. Roles, profiles, and composite role analysis runs against the AU GRC SoD rule set. Each conflict lists the user count and AUD financial exposure.

How do you handle RFC and SAProuter?

RFC trust relationships, gateway ACLs, and SAProuter route-table gaps are tested. Each finding cites the SAP Security Note and the ASD ISM control.

Is the report usable for APRA outsourcing review?

Yes. CPS 230 material service provider clauses are mapped on every SAP partner integration. Useful for the annual outsourcing schedule.

Do you test S/4HANA Fiori?

Yes. Fiori catalogue and tile authorisations, Gateway SAP_GW_USERS, and OData service exposure are tested. Each finding lists the affected catalogue ID.

SAP security assessment

Find what an SoD matrix can't see.

NetWeaver · ABAP · HANA · Fiori · SAProuter, tested by hand for RFC gateway abuse, authority-object chaining, segregation-of-duties violations that move money, ICMAD-class memory corruption, RECON-class unauthenticated user creation, and custom-ABAP injection. Every finding lands with a working proof-of-exploit, code-level fix guidance, and a re-test.

See the SAP attack paths

Four SAP surfaces

NetWeaver/ABAP · HANA · Fiori · SAProuter, one method, four control points.

Evidence

Working proof-of-exploit and ABAP-level fix guidance on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Accredited testers, audited handling.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your SAP landscape, your transport requests, and your engagement record.

APRA CPS 234
Prudential standard · information security
ASD Essential 8
Australian Signals Directorate maturity model
IRAP
Info-Security Registered Assessors Program
CREST
Tester accreditation
SOC 2 Type II
AICPA · TSC controls auditable

Why a role review isn't a pentest

An SoD matrix that passes is not a chain that holds.

GRC tooling and SoD matrices report what your SAP landscape looks like on paper, which authorization objects each user holds, which transactions sit inside which role. A pentest reports what an attacker can actually do with that landscape. SecureLayer7's operators chain those passing rows, S_TCODE for MM02, S_TCODE for FB01, an open RFC trust to the production system, into the proof-of-exploit your basis team can fix and your auditor will accept.

Two columns side by side, what an SAP role / SoD audit reports on the left, and the chained authorization-object exploit each becomes in a manual pentest on the right, terminating in one orange node.

IN SCOPE.

Where we look inside your SAP estate.

ROLES + SOD

Chained authorisations

SAP_ALL leakage, transaction-code combinations the SoD matrix passes, S_RFC + S_TCODE chains.

RFC + GATEWAY

External interfaces

Gateway ACL gaps, registered RFC servers, ABAP-to-Java trust, SOAP / OData endpoints exposed.

CUSTOM ABAP

Code-injection paths

Open SQL injection, directory traversal in custom Z* programs, OS-command via CALL SYSTEM.

BTP + INTEGRATIONS

Cloud + middleware

BTP destinations, Cloud Connector trust, S/4HANA Cloud APIs, IDP federation across landscapes.

What we test —

Six SAP surfaces. One engagement.

Every layer of the SAP landscape gets a manual, threat-modelled review against its real attack surface — kernel, database, presentation, transport, custom code, and authorization. Intensity tunes per scope.

NetWeaver / ABAP kernel

RECON-class unauth user creation (CVE-2020-6287 family), ICMAD memory corruption (CVE-2022-22536 family), authority-object bypass against S_TCODE / S_DEVELOP / S_RFC, ABAP code injection in dynamic CALL TRANSACTION and EXECUTE IMMEDIATELY, transport-request abuse, message server unauthenticated registration.

SAP HANA

SQL injection in custom procedures, SYSTEM privilege escalation, cross-schema access via shared CDS views, _SYS_REPO mis-grants, encryption-at-rest verification, audit-policy gaps, XSA tenant boundary bypass, replication-route abuse on system replication.

S/4HANA & ECC business logic

Segregation-of-duties chains that move money — vendor master maintenance + invoice posting + payment release in one user; F110 payment program abuse via spoofed bank master; MIRO three-way-match bypass; goods-receipt reversal-and-repost flows that paper over inventory shrink.

Fiori / UI5 frontend

OData service authorisation gaps, CSRF token reuse across sessions, UI5 mock-data leakage, Launchpad role-hiding bypass, Gateway service /sap/opu/odata/ exposure, web-dispatcher header-rewrite abuse, BSP application chained-XSS to ABAP RFC.

SAProuter & RFC Gateway

Gateway ACL bypass (reginfo / secinfo gaps), unauthenticated RFC server registration, message-server SXM access, SAProuter route-permission leakage, DIAG / RFC protocol replay where TLS isn't terminated, exposure of internal load-balancer behind public listener.

Custom Z* code & roles

Z-program authority-check omissions, hardcoded SAP* / DDIC credentials in customer transports, ABAP open-SQL injection in customer namespaces, role/profile drift between DEV and PROD landscapes, derived-role inheritance abuse, GRC mitigations that whitelist the chain rather than break it.

SAP METHODOLOGY.

Eight phases. Landscape to transaction.

Threat-modelled to your SAP landscape (clients, RFC trust, custom Z* footprint, GRC mitigations). Not a generic SAP checklist we run against every customer.

01
Scope & threat-model
Landscape topology, client boundaries, RFC trust graph, GRC and SoD-ruleset baseline mapped before any traffic.
02
Recon & enumeration
External exposure of SAProuter, Web Dispatcher, Fiori Launchpad, ICM ports. Internal enumeration of message servers, gateway listeners, attached HANA tenants, RFC destinations.
03
Authorization review
GRC, SoD, and authority-object snapshots collected as leads to chase, not findings to ship. Drift between role design and effective authorisation highlighted.
04
Authority exploitation
Authority-object chaining across S_TCODE, S_DEVELOP, S_RFC; derived-role inheritance abuse; GRC mitigation bypass; default SAP*, DDIC, and EARLYWATCH paths exercised to credential or transaction takeover.
05
Kernel & RFC exploitation
RECON-class auth bypass, ICMAD-class memory corruption, RFC gateway ACL bypass, message-server registration abuse, HANA SYSTEM-privilege escalation, cross-schema CDS pivots, XSA tenant boundary tests.
06
Vulnerability analysis
Findings correlated, chained into business-impact paths (vendor payout, payroll spoof, inventory shrink, SoX-bypass) and scored with SAP-aware blast-radius rather than CVSS in isolation.
07
Remediation guidance
ABAP patch notes, SAP Note IDs, role-redesign diffs, GRC ruleset corrections, transport-request templates, SAProuter and gateway ACL deltas. Written for basis and security architects, not auditors.
08
Patch verification
Every finding re-tested after your team ships the SAP Note or role change, at no extra cost. Written confirmation each path is closed.

Insights

SAP & ERP security Resources.

SAP-side audit notes: RFC abuse, transport drift, and the ABAP/Fiori findings our reviewers file across S/4HANA estates.

Oracle E-Business Suite file upload CVE

CVE-2015-2652: unauthenticated arbitrary file upload that mirrors the kind of issues we hunt in SAP NetWeaver and Fiori.

Attack surface management for ERP estates

Discovery, exposure scoring, and continuous validation across SAP, Oracle, and the integrations sitting in front of them.

Supply chain attacks on critical systems

Patterns from 3CX, polyfill, and similar campaigns and the controls that detect them in SAP-anchored environments.

Meet our expert

Nivedita Singh

Security Advisor & Engagement Lead

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

Nivedita scopes SAP-pentest engagements against your landscape topology, RFC trust graph, custom Z* footprint, and GRC ruleset. She guides the pod from kick-off through final report and remediation review with your basis and audit teams.

Scopes NetWeaver, S/4HANA, ECC, and HANA engagements against your real risk model.
Owns kick-off, mid-engagement check-ins, and live walkthrough with basis and audit.
Drives remediation review and re-test until every chained authorization path is closed.

SL7 Lab. Published CVE research.

Nivedita Singh, Security Advisor & Engagement Lead at SecureLayer7

Ready to scope an SAP pentest? Book 30 minutes with Nivedita to walk through your landscape, RFC trust, and timeline.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

SAP for banking treasury, S/4HANA financial close, custody adjacency.

See FinTech pentest

Retail

SAP retail merchandising, vendor master, store-replenishment data flows.

See Retail pentest

Tech SaaS

SAP for SaaS finance & ops, BTP integrations, identity sync to AD/Entra.

See Tech SaaS pentest

Built for Australia engagements

What changes when we deliver here.

Regulatory framework
APRA outsourcing + CPS 230 clause map
Compliance scoping
ASD ISM separation-of-duties evidence
Local engagements
Super fund — 11 SoD conflicts retired in 60 days
Local pricing
AUD per-module pricing, GST inclusive option
Compliance scoping
AUD financial exposure per SoD conflict

Questions Australian SAP basis and GRC teams ask first.

Do you cover SoD conflict mining?
Yes. Roles, profiles, and composite role analysis runs against the AU GRC SoD rule set. Each conflict lists the user count and AUD financial exposure.
How do you handle RFC and SAProuter?
RFC trust relationships, gateway ACLs, and SAProuter route-table gaps are tested. Each finding cites the SAP Security Note and the ASD ISM control.
Is the report usable for APRA outsourcing review?
Yes. CPS 230 material service provider clauses are mapped on every SAP partner integration. Useful for the annual outsourcing schedule.
Do you test S/4HANA Fiori?
Yes. Fiori catalogue and tile authorisations, Gateway SAP_GW_USERS, and OData service exposure are tested. Each finding lists the affected catalogue ID.

Delivery in Australia

APRA outsourcing. ASD ISM SoD.

Roles, RFC, and transport findings cite APRA outsourcing and material service provider controls. SoD conflicts map to ASD ISM separation-of-duties clauses.

Direct line: +61-2-0000-0000
Office: Sydney, Australia

Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.

Sample SAP pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working PoC against an SAP authority-object chain, ABAP-level fix guidance, and SAP Note references. Sent on request after a 5-minute scoping call.