Are SoD conflicts mapped to NCA ECC governance?

Yes. Each SoD conflict cites the ECC cybersecurity governance sub-control. Finance leadership reads the audit risk in business terms.

Does the audit fit SAMA D3 access controls?

Yes. Role design, privileged access, and Firefighter usage are written into SAMA D3 wording. Bank internal audit signs off cleanly.

Do you cover RFC trust and gateway settings?

Yes. RFC destinations, gateway ACLs, and SNC are reviewed for trust abuses. Each finding names the destination ID at risk.

Where does SAP access happen during the review?

Through a KSA-region jump host. Auditor sessions are recorded. SAP export files stay inside the Kingdom for the full engagement.

SAP security assessment

Find what an SoD matrix can't see.

NetWeaver · ABAP · HANA · Fiori · SAProuter, tested by hand for RFC gateway abuse, authority-object chaining, segregation-of-duties violations that move money, ICMAD-class memory corruption, RECON-class unauthenticated user creation, and custom-ABAP injection. Every finding lands with a working proof-of-exploit, code-level fix guidance, and a re-test.

See the SAP attack paths

Four SAP surfaces

NetWeaver/ABAP · HANA · Fiori · SAProuter, one method, four control points.

Evidence

Working proof-of-exploit and ABAP-level fix guidance on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Accredited testers, audited handling.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your SAP landscape, your transport requests, and your engagement record.

SAMA CSF
Saudi Central Bank cybersecurity framework
NCA ECC
National Cybersecurity Authority Essential Controls
CITC
Communications & IT Commission frameworks
CREST
Tester accreditation
ISO/IEC 27001
Information security management

Why a role review isn't a pentest

An SoD matrix that passes is not a chain that holds.

GRC tooling and SoD matrices report what your SAP landscape looks like on paper, which authorization objects each user holds, which transactions sit inside which role. A pentest reports what an attacker can actually do with that landscape. SecureLayer7's operators chain those passing rows, S_TCODE for MM02, S_TCODE for FB01, an open RFC trust to the production system, into the proof-of-exploit your basis team can fix and your auditor will accept.

Two columns side by side, what an SAP role / SoD audit reports on the left, and the chained authorization-object exploit each becomes in a manual pentest on the right, terminating in one orange node.

IN SCOPE.

Where we look inside your SAP estate.

ROLES + SOD

Chained authorisations

SAP_ALL leakage, transaction-code combinations the SoD matrix passes, S_RFC + S_TCODE chains.

RFC + GATEWAY

External interfaces

Gateway ACL gaps, registered RFC servers, ABAP-to-Java trust, SOAP / OData endpoints exposed.

CUSTOM ABAP

Code-injection paths

Open SQL injection, directory traversal in custom Z* programs, OS-command via CALL SYSTEM.

BTP + INTEGRATIONS

Cloud + middleware

BTP destinations, Cloud Connector trust, S/4HANA Cloud APIs, IDP federation across landscapes.

What we test —

Six SAP surfaces. One engagement.

Every layer of the SAP landscape gets a manual, threat-modelled review against its real attack surface — kernel, database, presentation, transport, custom code, and authorization. Intensity tunes per scope.

NetWeaver / ABAP kernel

RECON-class unauth user creation (CVE-2020-6287 family), ICMAD memory corruption (CVE-2022-22536 family), authority-object bypass against S_TCODE / S_DEVELOP / S_RFC, ABAP code injection in dynamic CALL TRANSACTION and EXECUTE IMMEDIATELY, transport-request abuse, message server unauthenticated registration.

SAP HANA

SQL injection in custom procedures, SYSTEM privilege escalation, cross-schema access via shared CDS views, _SYS_REPO mis-grants, encryption-at-rest verification, audit-policy gaps, XSA tenant boundary bypass, replication-route abuse on system replication.

S/4HANA & ECC business logic

Segregation-of-duties chains that move money — vendor master maintenance + invoice posting + payment release in one user; F110 payment program abuse via spoofed bank master; MIRO three-way-match bypass; goods-receipt reversal-and-repost flows that paper over inventory shrink.

Fiori / UI5 frontend

OData service authorisation gaps, CSRF token reuse across sessions, UI5 mock-data leakage, Launchpad role-hiding bypass, Gateway service /sap/opu/odata/ exposure, web-dispatcher header-rewrite abuse, BSP application chained-XSS to ABAP RFC.

SAProuter & RFC Gateway

Gateway ACL bypass (reginfo / secinfo gaps), unauthenticated RFC server registration, message-server SXM access, SAProuter route-permission leakage, DIAG / RFC protocol replay where TLS isn't terminated, exposure of internal load-balancer behind public listener.

Custom Z* code & roles

Z-program authority-check omissions, hardcoded SAP* / DDIC credentials in customer transports, ABAP open-SQL injection in customer namespaces, role/profile drift between DEV and PROD landscapes, derived-role inheritance abuse, GRC mitigations that whitelist the chain rather than break it.

SAP METHODOLOGY.

Eight phases. Landscape to transaction.

Threat-modelled to your SAP landscape (clients, RFC trust, custom Z* footprint, GRC mitigations). Not a generic SAP checklist we run against every customer.

01
Scope & threat-model
Landscape topology, client boundaries, RFC trust graph, GRC and SoD-ruleset baseline mapped before any traffic.
02
Recon & enumeration
External exposure of SAProuter, Web Dispatcher, Fiori Launchpad, ICM ports. Internal enumeration of message servers, gateway listeners, attached HANA tenants, RFC destinations.
03
Authorization review
GRC, SoD, and authority-object snapshots collected as leads to chase, not findings to ship. Drift between role design and effective authorisation highlighted.
04
Authority exploitation
Authority-object chaining across S_TCODE, S_DEVELOP, S_RFC; derived-role inheritance abuse; GRC mitigation bypass; default SAP*, DDIC, and EARLYWATCH paths exercised to credential or transaction takeover.
05
Kernel & RFC exploitation
RECON-class auth bypass, ICMAD-class memory corruption, RFC gateway ACL bypass, message-server registration abuse, HANA SYSTEM-privilege escalation, cross-schema CDS pivots, XSA tenant boundary tests.
06
Vulnerability analysis
Findings correlated, chained into business-impact paths (vendor payout, payroll spoof, inventory shrink, SoX-bypass) and scored with SAP-aware blast-radius rather than CVSS in isolation.
07
Remediation guidance
ABAP patch notes, SAP Note IDs, role-redesign diffs, GRC ruleset corrections, transport-request templates, SAProuter and gateway ACL deltas. Written for basis and security architects, not auditors.
08
Patch verification
Every finding re-tested after your team ships the SAP Note or role change, at no extra cost. Written confirmation each path is closed.

Insights

SAP & ERP security Resources.

SAP-side audit notes: RFC abuse, transport drift, and the ABAP/Fiori findings our reviewers file across S/4HANA estates.

Oracle E-Business Suite file upload CVE

CVE-2015-2652: unauthenticated arbitrary file upload that mirrors the kind of issues we hunt in SAP NetWeaver and Fiori.

Attack surface management for ERP estates

Discovery, exposure scoring, and continuous validation across SAP, Oracle, and the integrations sitting in front of them.

Supply chain attacks on critical systems

Patterns from 3CX, polyfill, and similar campaigns and the controls that detect them in SAP-anchored environments.

Meet our expert

Nivedita Singh

Security Advisor & Engagement Lead

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

Nivedita scopes SAP-pentest engagements against your landscape topology, RFC trust graph, custom Z* footprint, and GRC ruleset. She guides the pod from kick-off through final report and remediation review with your basis and audit teams.

Scopes NetWeaver, S/4HANA, ECC, and HANA engagements against your real risk model.
Owns kick-off, mid-engagement check-ins, and live walkthrough with basis and audit.
Drives remediation review and re-test until every chained authorization path is closed.

SL7 Lab. Published CVE research.

Nivedita Singh, Security Advisor & Engagement Lead at SecureLayer7

Ready to scope an SAP pentest? Book 30 minutes with Nivedita to walk through your landscape, RFC trust, and timeline.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

SAP for banking treasury, S/4HANA financial close, custody adjacency.

See FinTech pentest

Retail

SAP retail merchandising, vendor master, store-replenishment data flows.

See Retail pentest

Tech SaaS

SAP for SaaS finance & ops, BTP integrations, identity sync to AD/Entra.

See Tech SaaS pentest

Built for Saudi Arabia engagements

What changes when we deliver here.

Compliance scoping
SoD conflicts cited under NCA ECC cybersecurity governance
Regulatory framework
SAMA D3 access-control wording per finding
Local engagements
Dammam refiner cleared 47 SoD conflicts before SAMA audit
Local pricing
SAR per-module SAP review pricing with VAT 15%
Compliance scoping
RFC trust and gateway ACL review in scope

SAP review questions from KSA finance and IT teams.

Are SoD conflicts mapped to NCA ECC governance?
Yes. Each SoD conflict cites the ECC cybersecurity governance sub-control. Finance leadership reads the audit risk in business terms.
Does the audit fit SAMA D3 access controls?
Yes. Role design, privileged access, and Firefighter usage are written into SAMA D3 wording. Bank internal audit signs off cleanly.
Do you cover RFC trust and gateway settings?
Yes. RFC destinations, gateway ACLs, and SNC are reviewed for trust abuses. Each finding names the destination ID at risk.
Where does SAP access happen during the review?
Through a KSA-region jump host. Auditor sessions are recorded. SAP export files stay inside the Kingdom for the full engagement.

Delivery in Saudi Arabia

SAP review for NCA ECC governance and SAMA D3.

SoD, RFC, and S/4HANA findings cite NCA ECC v2.0 cybersecurity governance and SAMA D3 access control wording. SAR pricing, KSA-region SAP access.

Direct line: +966-11-000-0000
Office: Riyadh, Saudi Arabia

Frameworks scoped: NCA ECC · SAMA CSF · PDPL · ISO/IEC 27001.

Sample SAP pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working PoC against an SAP authority-object chain, ABAP-level fix guidance, and SAP Note references. Sent on request after a 5-minute scoping call.