The purpose of this report. is to show a high level view of SAP Security in figures so that the problem area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan.
One of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network. While all the recommendations from SAP and consulting companies say that even internal access to unnecessary administrative services should be restricted, it was found that many companies configure their landscape improperly and expose critical services to the Internet. In some cases, lack of knowledge is the reason and sometimes companies want easy remote control, which is insecure.