Do findings line up with MAS TRM §11?

Yes. Role, RFC, and SoD findings cite §11 control text. Internal audit can attach the SAP report straight to the TRM file without rework.

How are SoD conflicts identified?

We run a SoD matrix against PFCG roles and live SU01 assignments. Conflicts include the user, role, and transaction pair so the Basis team can split duties cleanly.

What about RFC and gateway hardening?

We test SM59, gateway ACLs, and SNC configuration. Findings call out trusted-system abuse paths with a working SAP Note reference for the patch.

Where does the SAP export live during review?

Role exports stay on SG-region jump hosts under a PDPA §24 DPA. Employee PII inside SAP HR is masked before sharing and purged at 30 days.

SAP security assessment

Find what an SoD matrix can't see.

NetWeaver · ABAP · HANA · Fiori · SAProuter, tested by hand for RFC gateway abuse, authority-object chaining, segregation-of-duties violations that move money, ICMAD-class memory corruption, RECON-class unauthenticated user creation, and custom-ABAP injection. Every finding lands with a working proof-of-exploit, code-level fix guidance, and a re-test.

See the SAP attack paths

Four SAP surfaces

NetWeaver/ABAP · HANA · Fiori · SAProuter, one method, four control points.

Evidence

Working proof-of-exploit and ABAP-level fix guidance on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Accredited testers, audited handling.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your SAP landscape, your transport requests, and your engagement record.

MAS TRM
Technology Risk Management guidelines
CSA Cyber Trust
Cybersecurity Agency of Singapore mark
IMDA
Info-comm Media Development Authority
PDPA
Personal Data Protection Act 2012
SOC 2 Type II
AICPA · TSC controls auditable

Why a role review isn't a pentest

An SoD matrix that passes is not a chain that holds.

GRC tooling and SoD matrices report what your SAP landscape looks like on paper, which authorization objects each user holds, which transactions sit inside which role. A pentest reports what an attacker can actually do with that landscape. SecureLayer7's operators chain those passing rows, S_TCODE for MM02, S_TCODE for FB01, an open RFC trust to the production system, into the proof-of-exploit your basis team can fix and your auditor will accept.

Two columns side by side, what an SAP role / SoD audit reports on the left, and the chained authorization-object exploit each becomes in a manual pentest on the right, terminating in one orange node.

IN SCOPE.

Where we look inside your SAP estate.

ROLES + SOD

Chained authorisations

SAP_ALL leakage, transaction-code combinations the SoD matrix passes, S_RFC + S_TCODE chains.

RFC + GATEWAY

External interfaces

Gateway ACL gaps, registered RFC servers, ABAP-to-Java trust, SOAP / OData endpoints exposed.

CUSTOM ABAP

Code-injection paths

Open SQL injection, directory traversal in custom Z* programs, OS-command via CALL SYSTEM.

BTP + INTEGRATIONS

Cloud + middleware

BTP destinations, Cloud Connector trust, S/4HANA Cloud APIs, IDP federation across landscapes.

What we test —

Six SAP surfaces. One engagement.

Every layer of the SAP landscape gets a manual, threat-modelled review against its real attack surface — kernel, database, presentation, transport, custom code, and authorization. Intensity tunes per scope.

NetWeaver / ABAP kernel

RECON-class unauth user creation (CVE-2020-6287 family), ICMAD memory corruption (CVE-2022-22536 family), authority-object bypass against S_TCODE / S_DEVELOP / S_RFC, ABAP code injection in dynamic CALL TRANSACTION and EXECUTE IMMEDIATELY, transport-request abuse, message server unauthenticated registration.

SAP HANA

SQL injection in custom procedures, SYSTEM privilege escalation, cross-schema access via shared CDS views, _SYS_REPO mis-grants, encryption-at-rest verification, audit-policy gaps, XSA tenant boundary bypass, replication-route abuse on system replication.

S/4HANA & ECC business logic

Segregation-of-duties chains that move money — vendor master maintenance + invoice posting + payment release in one user; F110 payment program abuse via spoofed bank master; MIRO three-way-match bypass; goods-receipt reversal-and-repost flows that paper over inventory shrink.

Fiori / UI5 frontend

OData service authorisation gaps, CSRF token reuse across sessions, UI5 mock-data leakage, Launchpad role-hiding bypass, Gateway service /sap/opu/odata/ exposure, web-dispatcher header-rewrite abuse, BSP application chained-XSS to ABAP RFC.

SAProuter & RFC Gateway

Gateway ACL bypass (reginfo / secinfo gaps), unauthenticated RFC server registration, message-server SXM access, SAProuter route-permission leakage, DIAG / RFC protocol replay where TLS isn't terminated, exposure of internal load-balancer behind public listener.

Custom Z* code & roles

Z-program authority-check omissions, hardcoded SAP* / DDIC credentials in customer transports, ABAP open-SQL injection in customer namespaces, role/profile drift between DEV and PROD landscapes, derived-role inheritance abuse, GRC mitigations that whitelist the chain rather than break it.

SAP METHODOLOGY.

Eight phases. Landscape to transaction.

Threat-modelled to your SAP landscape (clients, RFC trust, custom Z* footprint, GRC mitigations). Not a generic SAP checklist we run against every customer.

01
Scope & threat-model
Landscape topology, client boundaries, RFC trust graph, GRC and SoD-ruleset baseline mapped before any traffic.
02
Recon & enumeration
External exposure of SAProuter, Web Dispatcher, Fiori Launchpad, ICM ports. Internal enumeration of message servers, gateway listeners, attached HANA tenants, RFC destinations.
03
Authorization review
GRC, SoD, and authority-object snapshots collected as leads to chase, not findings to ship. Drift between role design and effective authorisation highlighted.
04
Authority exploitation
Authority-object chaining across S_TCODE, S_DEVELOP, S_RFC; derived-role inheritance abuse; GRC mitigation bypass; default SAP*, DDIC, and EARLYWATCH paths exercised to credential or transaction takeover.
05
Kernel & RFC exploitation
RECON-class auth bypass, ICMAD-class memory corruption, RFC gateway ACL bypass, message-server registration abuse, HANA SYSTEM-privilege escalation, cross-schema CDS pivots, XSA tenant boundary tests.
06
Vulnerability analysis
Findings correlated, chained into business-impact paths (vendor payout, payroll spoof, inventory shrink, SoX-bypass) and scored with SAP-aware blast-radius rather than CVSS in isolation.
07
Remediation guidance
ABAP patch notes, SAP Note IDs, role-redesign diffs, GRC ruleset corrections, transport-request templates, SAProuter and gateway ACL deltas. Written for basis and security architects, not auditors.
08
Patch verification
Every finding re-tested after your team ships the SAP Note or role change, at no extra cost. Written confirmation each path is closed.

Insights

SAP & ERP security Resources.

SAP-side audit notes: RFC abuse, transport drift, and the ABAP/Fiori findings our reviewers file across S/4HANA estates.

Oracle E-Business Suite file upload CVE

CVE-2015-2652: unauthenticated arbitrary file upload that mirrors the kind of issues we hunt in SAP NetWeaver and Fiori.

Attack surface management for ERP estates

Discovery, exposure scoring, and continuous validation across SAP, Oracle, and the integrations sitting in front of them.

Supply chain attacks on critical systems

Patterns from 3CX, polyfill, and similar campaigns and the controls that detect them in SAP-anchored environments.

Meet our expert

Nivedita Singh

Security Advisor & Engagement Lead

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

Nivedita scopes SAP-pentest engagements against your landscape topology, RFC trust graph, custom Z* footprint, and GRC ruleset. She guides the pod from kick-off through final report and remediation review with your basis and audit teams.

Scopes NetWeaver, S/4HANA, ECC, and HANA engagements against your real risk model.
Owns kick-off, mid-engagement check-ins, and live walkthrough with basis and audit.
Drives remediation review and re-test until every chained authorization path is closed.

SL7 Lab. Published CVE research.

Nivedita Singh, Security Advisor & Engagement Lead at SecureLayer7

Ready to scope an SAP pentest? Book 30 minutes with Nivedita to walk through your landscape, RFC trust, and timeline.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

SAP for banking treasury, S/4HANA financial close, custody adjacency.

See FinTech pentest

Retail

SAP retail merchandising, vendor master, store-replenishment data flows.

See Retail pentest

Tech SaaS

SAP for SaaS finance & ops, BTP integrations, identity sync to AD/Entra.

See Tech SaaS pentest

Built for Singapore engagements

What changes when we deliver here.

Compliance scoping
MAS TRM §11 SoD and role-design mapping
Regulatory framework
PDPA §24 SAP HR PII masking before sharing
Local engagements
Manufacturer S/4HANA — split 36 SoD conflicts before year-end audit
Local pricing
SGD per-1000-user band, module-count tier
Compliance scoping
ACRA-aligned financial-control evidence in audit pack

SAP review questions from SG finance teams.

Do findings line up with MAS TRM §11?
Yes. Role, RFC, and SoD findings cite §11 control text. Internal audit can attach the SAP report straight to the TRM file without rework.
How are SoD conflicts identified?
We run a SoD matrix against PFCG roles and live SU01 assignments. Conflicts include the user, role, and transaction pair so the Basis team can split duties cleanly.
What about RFC and gateway hardening?
We test SM59, gateway ACLs, and SNC configuration. Findings call out trusted-system abuse paths with a working SAP Note reference for the patch.
Where does the SAP export live during review?
Role exports stay on SG-region jump hosts under a PDPA §24 DPA. Employee PII inside SAP HR is masked before sharing and purged at 30 days.

Delivery in Singapore

SAP review. MAS TRM §11 fit.

SAP ECC and S/4HANA review reads roles, RFC destinations, and SoD conflicts against MAS TRM §11. Findings show SU01, PFCG, and SM59 paths with fix steps the Basis team runs.

Direct line: +65-6000-0000
Office: Singapore

Frameworks scoped: MAS TRM · PDPA · PCI DSS · ISO/IEC 27001.

Sample SAP pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working PoC against an SAP authority-object chain, ABAP-level fix guidance, and SAP Note references. Sent on request after a 5-minute scoping call.