Skip to Content
Author's profile photo Richard Hirsch

New job offers from SAP demonstrate the potential of HANA to secure SAP systems

HANA’s real-time analytical power provides an excellent foundation to rapidly deal with security-related issues. At this year’s Sapphire, Hasso Plattner described the importance of HANA in fighting hackers.

….the increased number of potential attack vectors open to hackers means that companies can no longer rely on perimeter defences. The chairman said enterprise-level customers need to upgrade to intelligence models powered by advanced analytics tools, like HANA.

Plattner said: “What’s on show here is a new security-monitoring application that collects all significant hardware, network and software vendors’ security messages. It takes them from people like Microsoft, HP, IBM, CISCO and Oracle. It takes all of them into a large HANA database and does multi-system security breach analysis.

What I always found intriguing about this quote was that Hasso didn’t mention SAP systems as being involved in such HANA-based cyber-threat scenarios.

Two new job offers reveal that SAP is indeed examining the potential of HANA to deal with such issues.

The job offers

Position: Working Student: Smart analysis of SAP log data in a central HANA Database

Our department has the task to examine and prepare the development of a new product in the area of mass data analysis that deals with attacks to SAP systems. The relevant data sources to analyze are e.g. the very different logs of SAP systems, which are in general very large and grow fast within short time ranges. With SAP’s in Memory HANA Database it becomes now possible to examine and analyze such mass data in a very fast way. This new opportunity allows us to analyze the data according to SAP system hacks that occurred in the past, or that are even currently occurring. One of the challenges is to transfer the relevant data into a good SAP HANA Database readable format that allows for a highly performing access via HANA-DB optimized select statements.

Some corresponding questions are:

  • How does the format of the most relevant data of the different sources look like? How can relevant information be found out of this data?
  • Which features does the SAP HANA Database provide to read structured and unstructured (text) data in a fast way?
  • How shall a SAP HANA Database table format (or formats) look like, into which the data out of the different sources need to be transferred?
  • What are alternatives to optimize the SAP HANA Database table format(s) in order to find the relevant data in a highly efficient way?
  • How could meta data models look like to allow some kind of modeling of the highly efficient select statements?

Position: Thesis Student: Analysis and Definition of Attack Patterns for SAP systems

[first part of job description is the same as the first offer]

…… One of the challenges is to determine/define valid general Attack Patterns to SAP Systems or to system landscapes with SAP systems and to transfer these patterns into technical analysis statements that are applied to the relevant mass data in a SAP HANA Database.

Some corresponding questions are:

  • Which are valid attack patterns?
  • Which data out of which sources is needed in order to find a potential attacks according to an attack pattern?
  • How does the filtering and order of filtering of the data look like to most exactly find a potential attack?
  • How can so called ‘false positives’ (i.e. findings of potential attacks that aren’t any) be ignored in a most reliable manner?


  • I know that both positions may be viewed more as research-related (Working Student, Thesis Student, etc) rather than part of product teams but it looks like things are more serious than just research. The description contains a reference to a new product: “Our department has the task to examine and prepare the development of a new product new product in the area of mass data analysis that deals with attacks to SAP systems.”
  • There are other efforts from SAP employees to read logs into HANA – for example, Importing Apache Webserver Logs to SAP HANA for Web Analytics & Reporting – but these efforts focus more on monitoring and traffic analysis rather that security concerns.
  • As I read these job descriptions, I thought about the possible integration possibilities with HANA-enhanced GRC products as well as broader fraud management solutions.
  • A recent graduate of the HANA Start-up program called “Alert Enterprise” has a HANA-based security system which “addresses the single most overlooked gap in enterprise security – the prevention, detection and fast resolution of linked IT and physical access violations across diverse enterprise systems, applications, databases and geographically distributed assets.” [SOURCE]. As I watched the JD-OD video that Dennis Howlett made last year about AlertEnterprise I realized that the broader potential value of such a SAP product would have for such security-related frameworks.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Frank Koehntopp
      Frank Koehntopp

      Fascinating topic, this!

      Unfortunately it doesn't work too well as a defense strategy - it shares similar issues with defending against terrorism:

      • We are incredibly good at defending against yesterday's attacks (haven't seen a lot of planes flying into skyscrapers recently), but that comes at a high cost (how many billions have we sunk into airport security by now?) and the attacker simply changes strategy (would love to see honest ❗ statistics about attempts at bypassing airport security).
      • Monitoring is great, but most of the time it's difficult to get from watching into acting. Think security cameras everywhere - they have yet to prevent a _single_ attack, but they may help in identifying the attacker (which is not always helpful).

      Attacks on IT systems are similar: if we see a single IP address trying to brute force user IDs and passwords we can counteract by blocking the IP or throttling, but then the attacker simply uses a botnet instead.

      We can identify malicious input like SQL injection, but this is only useful if we have prepared for that in our server code by sanitizing user input.

      Still, there is merit in this analysis, it's useful to identify changes in threat patterns or watch new attacks gain usage. It helps architecting and sizing your defense infrastructure.

      For developers it puts the focus on threat modeling, and rightly so. A good security design is still the only promising effort against successful exploits.

      Application developers can help the analysis effort in two ways:

      • Make sure there is a unified way to log security relevant events, i.e. whenever the application code actively reacted to an attack (wrong password, number of retries exceeded, inout validation failed)
      • Document what you're defending against in a parseable language (Google for "attack pattern matching") so that the analysis engine knows what your application considers to be an attack. This will generally be different between applications.

      I would love to see results from those efforts soon. Ideally these end up in the cloud, shared by all users of the infrastructure so that customers can share knowledge and adapt their systems accordingly.

      Author's profile photo Richard Hirsch
      Richard Hirsch
      Blog Post Author

      Still, there is merit in this analysis, it's useful to identify changes in threat patterns or watch new attacks gain usage. It helps architecting and sizing your defense infrastructure.

      I think might be interesting is to look at this work in terms of the HANA Enterprise Cloud where many customers host their SAP systems. HANA might be useful in this environment.  In such environments,  the aggregation of data from multiple customers might quickly allow SAP developers to adapt their security design more efficiently.  Such aggregation would also allow more rapid identification of threat patterns.

      Author's profile photo Tom Van Doorslaer
      Tom Van Doorslaer

      I always have to think about those bomb detectors they've been using in Iraq.

      Some guy created so called "bomb-detectors" which didn't work at all, but the mere idea of getting caught this way, had it's effect on car-bomb attempts

      Although there are no figures on how many bomb attacks have been prevented and how many still got through, the mere thought of security, provided more security.

      The problem with IT security, is that an attacker doesn't really get punished for a failed attack. If there would be a system where a hacker got tracked by drones who stuck a cattleprod up his *** after a failed hacking attempt: then the thought of security would actually make your systems more secure.

      Fear of punishment is you best security strategy.

      Author's profile photo Tom Van Doorslaer
      Tom Van Doorslaer

      This would actually make a great demo-jam idea 😛

      Have Hana analyse the incoming requests and interactions. Identify hacking attempts. backtrack the origin. Send in a drone with a cattle-prod.

      Didn't Graham Robinson make a NetWeaver operated shuffeling drone last year?

      Author's profile photo Graham Robinson
      Graham Robinson
      Author's profile photo Maclean Kirkwood
      Maclean Kirkwood

      I'd like to know if SAP employs "white hat" hackers to test SAP systems.  There must be someone on staff to do penetration testing with freely available tools like Metasploit.

      If not, then there should be.  We have to be able to ensure that our clouds, databases and systems are secure, even from our friends in Fort Meade. What a great selling point that would be.