SAP systems run the most sensitive processes in the enterprise — finance, payroll, supply chain, customer data — which makes them a high-value target. Yet most SAP security incidents don't involve sophisticated zero-days. They exploit well-known, entirely fixable gaps that persist because no one owns closing them. This guide walks through the most common and most dangerous security gaps in SAP landscapes, why they matter, and how to address them.
1. Default and Standard-User Passwords
SAP ships with standard users (SAP*, DDIC, SAPCPIC, EarlyWatch) that have well-known default passwords and broad privileges. Leaving any of them at default — or worse, unlocked in productive clients — is one of the most exploited weaknesses in SAP. Attackers and audit scripts check for these first.
Close it: secure and lock standard users, change default passwords across all clients (including often-forgotten client 000/001), and enforce a strong password policy.
2. Missing Security Patches and SAP Notes
SAP publishes security notes monthly (Patch Tuesday). Each one that goes unapplied is a documented, public vulnerability sitting open in your landscape. Patching backlogs — usually a symptom of an overstretched Basis team — are among the biggest sources of real risk.
Close it: establish a regular security-note review and patch cadence, prioritize HotNews and high-priority notes, and don't let the kernel and support-pack level drift out of support.
3. Excessive Authorizations
Over-provisioned users — too many people with SAP_ALL or wide-ranging access "just in case" — dramatically expand the blast radius of any compromised account. Authorization sprawl accumulates quietly as roles are copied, extended, and never cleaned up.
Close it: run a least-privilege role redesign, remove SAP_ALL from productive users, and review authorizations regularly rather than only when an auditor asks.
4. Weak Segregation of Duties (SoD)
When one person can both create a vendor and pay it, or both create and approve a purchase order, you have a segregation-of-duties violation — a fraud risk and a guaranteed audit finding. SoD conflicts are pervasive in landscapes that grew organically without governance.
Close it: define an SoD ruleset, analyze conflicts, remediate or mitigate them, and put preventive controls in place. SAP Access Control (GRC) automates the monitoring so conflicts don't silently reappear.
5. Insecure Interfaces and RFC Connections
SAP landscapes are stitched together by RFC connections, and trusted/stored-credential RFCs are a common lateral-movement path: compromise a low-security dev system and hop via a trusting connection into production. Unencrypted communication (no SNC) compounds the exposure.
Close it: inventory and harden RFC destinations, eliminate unnecessary trust relationships, avoid stored high-privilege credentials, and enable SNC/TLS encryption for system communication.
6. Unmonitored Security Events
Many SAP estates don't have the Security Audit Log (SM19/SM20) properly configured or forwarded to a SIEM. Without it, suspicious activity — failed logons, use of standard users, debug-and-change — goes unseen until after the damage.
Close it: enable and tune the Security Audit Log, forward SAP security events to your SIEM, and define alerting for high-risk actions.
7. Missing Code and Change Controls
Custom ABAP can contain its own vulnerabilities (injection, missing authority checks), and weak transport controls let unreviewed change reach production. As landscapes modernize, keeping the core clean also reduces the custom-code attack surface.
Close it: scan custom code for security issues, enforce authority checks, and tighten transport and change management.
The Pattern: Security Is Operational, Not a Project
The thread running through every gap above is that they reopen over time. New users get over-provisioned, new notes go unapplied, new interfaces get built without SNC, new roles introduce SoD conflicts. A one-time hardening project doesn't keep you secure — ongoing operational discipline does. That's why SAP security belongs in your run operations, not just a periodic audit scramble.
Close the Gaps Before They're Found for You
The most common SAP security gaps are all known and all fixable — the risk comes from no one owning them continuously. Our SAP Security & GRC practice runs a full assessment of your authorizations, patch posture, SoD conflicts, and interface security, then helps you close the gaps and keep them closed. Start with a free SAP assessment to see where your landscape is exposed.