SAP Security in numbers
Notes
According to the partnership agreement with SAP, we do not have the right to publish detailed information about the vulnerabilities found before the release of the patch. Therefore, in this report only those vulnerabilities are described in detail, information about which we have the right to disclose at the moment. However, examples of exploitation of all the mentioned vulnerabilities, proving that they really exist, can be found on video from conferences, as well as on erpscan.ru and dsec.ru.
It should also be noted that our research in the field of SAP security in general and the collection of statistics in particular does not end with this report. We plan to publish new statistics at least annually or as new attack methods become available. The latest statistics on SAP systems on the Internet can be found at sapscan.com.
1. Introduction
The core of every large company is an ERP system; it runs all the business-critical processes, from procurement, payment, and delivery, to human resources, products, and financial planning. All information stored in ERP-systems is of great importance, and any unauthorized access to it can incur enormous losses right up to the stop of the business. According to the report of the Association of Investigators of Theft / Fraud (ACFE), between 2006 and 2010, the loss of organizations from internal fraud amounted to about 7 percent of annual revenue (!). That is why we decided to conduct a detailed study in the field of SAP security using ERPScan, a digital security monitoring system developed by Digital Security, developed by SAP Systems.
The widespread myth that ERP security is just the SOD matrix has exhausted itself over the past 5 years and already seems to be a long history of many past days. Over the past 5 years, SAP security experts have presented many reports detailing various attacks on internal SAP subsystems, such as the RFC data exchange protocol, the access control system - SAP ROUTER, SAP web applications and client clients stations running SAP GUI. Every year, interest in the topic increases exponentially: if in 2007 at specialized technical conferences on hacking and protection there was only 1 report on SAP, then in 2011 there were more than 20. Recently, a number of hacking utilities have been released that confirm the possibility attacks on SAP.
According to the statistics of vulnerabilities in business applications, in 2009 more than 100 vulnerabilities in SAP products were eliminated, while in 2010 there were already more than 500. In total, in March 2012 there were more than 2000 SAP security notes - notifications of vulnerabilities in those other SAP components.
Most of these vulnerabilities allow an unauthorized user to gain access to all critical data for a company's business, which forces one to think about the application of various solutions aimed at protecting SAP systems.
1.1. New Corporate Security Trends
The trends in the development of the infrastructure of companies have recently moved from a decentralized model to the integration of all business processes into single systems. Previously, the company had many servers, such as mail, file, domain controller, and others, but now all these functions are integrated into a single business application, which provides, on the one hand, ease of access, and on the other, a single point of failure. In business applications and in ERP systems, all critical company data is stored, starting from financial statements and personal data, and ending with lists of counterparties and corporate secrets. For an external attacker or insider, such a system is the main target, and its ultimate goal is not at all administrator rights on the domain controller.
However, many security professionals now, unfortunately, are extremely superficially aware of the protection of business applications such as SAP. The problem also lies in the fact that the security functions do not lie with CISO, but with the system owners, who actually control themselves. As a result, no one is responsible for the security of the most critical elements of the system.
Of the less global problems, it is also worth noting:
• Lack of qualified specialists. In most companies, SAP security is only perceived by SAP specialists as an SOD problem, but on the part of the security service, understanding of SAP threats is superficial at best, not to mention the fine-tuning.
• A huge number of subtle settings.In the standard settings of the system, there are more than 1000 parameters, as well as a huge mass of subtle settings, not to mention the differentiation of rights to various objects, such as transactions, tables, RFC procedures and others - for example, only web interfaces for accessing the system maybe a few thousand. In all this mass of settings, the task of ensuring the security of even one system can be a daunting task.
• Customizable settings. It is unlikely that there will be two identical SAP systems, since most of the settings are somehow tailored to the customer, and in addition, their own programs are being developed, the safety of which should also be taken into account in a comprehensive assessment.
• Automation.Having a large number of systems with constantly changing configurations also introduces additional problems.
Our goal is to bring this problem from a theoretical level to a practical one, based on real data and measurements: from information about the number of problems detected and their popularity to the number of vulnerable systems. To do this, we have implemented a global project to scan SAP systems available from the Internet.
2. Vulnerability statistics
2.1. Number of SAP Security Notifications
Periodically, SAP released an internal document called " Safety notice » (SAP Security note). It typically stores information about one or more vulnerabilities in SAP products or configuration errors that pose a risk to SAP systems. The first such notice was published in 2001. Since 2007, their number has been growing exponentially.
As of April 26, 2012, more than 2,000 SAP security notifications have been published.
During 2011, approximately 65 SAP Security Notices were usually posted on Critical Patch Day (every second Tuesday). Compared with other manufacturers, it is more than that of Microsoft, Oracle and Cisco. It should be noted that only 3 years ago there were much fewer of them.

Number of SAP Security Notifications by Year
2.2. Criticality SAP Security Notifications
SAP uses 5 severity levels for its notifications:
1 - Sensation
2 - High priority
3 - Medium priority
4 - Low priority
5 - Recommendations / additional information
Most problems (69%) are high priority, which means that about 2/3 of the published vulnerabilities need to be fixed quickly.
2.3. SAP Security Notifications by Type
We analyzed all published SAP security notifications by type. The most popular problems are presented on the chart:

It is worth noting that a new type of vulnerability called Verb Tampering has become one of the most popular. This vulnerability in the Authentication Bypass class was first discovered by Digital Security, and subsequently as many as 18 problems of this type were discovered.
About 20% of vulnerabilities were not included in this rating, since there are a significant number of unique problems in SAP systems. Some of them are described in our presentation “ Top 10 most interesting vulnerabilities in SAP ”.
2.4. Thanks to outside researchers
In 2010, SAP decided to thank third-party security researchers for the vulnerabilities found in their products. The diagram shows the number of vulnerabilities discovered by third-party researchers since 2010. Half of the vulnerabilities were found and successfully fixed by SAP using Digital Security (50 vulnerabilities and 26% of the total) and VirtualForge (44 vulnerabilities, i.e. 23%). The second half was discovered by two dozen other companies, and their number is growing, which proves the growing popularity of this area.

2.5. Amount of publicly available information
Vulnerabilities pose the greatest danger, information on the exploitation of which (a detailed description of the vulnerability, PoC exploits or full exploits) is available online. We collected information from the following popular sources:
SecurityFocus - here you can find a detailed description, sometimes a PoC exploit. All vulnerabilities in this database have a high probability of exploitation. Details about 123 vulnerabilities were found here (6% of the total).
Exploit-DB - here are ready-made exploits that can be used without making changes and without any knowledge about the operation of the corresponding system. All vulnerabilities in this database have a critical probability of exploitation. 24 exploits were found here (1% of the total number of vulnerabilities).
2.6. Top 5 most important vulnerabilities in 2011
Of the many published vulnerabilities, we selected the top 5 problems that pose the greatest threat:
• Bypass authentication using Verb Tampering
• Bypass authentication using Invoker Servlet
• Buffer overflow in ABAP kernel call
• Remote code execution through TH_GREP
• JSESSIONID expansion using the SAP Management console
1. Bypass authentication with Verb Tampering
This vulnerability was discovered in the J2EE SAP NetWeaver engine. It allows an anonymous hacker to completely compromise the SAP system. About 40 applications vulnerable to this attack were discovered. In the most critical case, you could create any user, assign him any role in the system and execute any command in the OS.
| Spying Risk : | Critical |
| The risk of sabotage : | Critical |
| Fraud Risk : | Critical |
| Availability : | Anonymous over the Internet |
| Ease of operation : | High |
| CVSSv2: | 10 |
| Description : | http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/ |
| Patch : | SAP Security Notices: 1589525, 1624450 |
| Author : | Alexander Polyakov (Digital Security) |
2. Bypass authentication using Invoker Servlet
This vulnerability was discovered in the J2EE engine of SAP NetWeaver. It allows an anonymous hacker to bypass the security restrictions of SAP web services and directly call critical functions by the names of their classes. About 30 applications are vulnerable to this attack. Depending on the specific application, you can add new users to the system, read system files, including database files, or reveal critical information.
| Spying Risk : | Critical |
| The risk of sabotage : | Critical |
| Fraud Risk : | Critical |
| Availability : | Anonymous over the Internet |
| Ease of operation : | High |
| CVSSv2: | 10 |
| Description : | http://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459 e5a69cb513597ec / frameset.htm |
| Patch : | SAP Security Notice: 1585527 |
| Author : | Sap |
3. Buffer overflow in an ABAP kernel
call A buffer overflow vulnerability was detected in an ABAP kernel call. It can be exploited by calling the ABAP report, which uses a vulnerable kernel call and passes the data entered by the user into it. This vulnerability allows a user with BASIS privileges to compromise the OS and execute any commands with adm privileges. Right now, only the PoC exploit is publicly available, but there is also a working exploit created in our laboratory.
| Spying Risk : | Critical |
| The risk of sabotage : | Critical |
| Fraud Risk : | Critical |
| Availability : | Requires BASIS user |
| Ease of operation : | Medium. You need to know the technology for writing exploits for various platforms |
| CVSSv2: | 4.8 |
| Description : | http://virtualforge.com/tl_files/Theme/whitepapers/BlackHat_EU_ 2011_Wiegenstein_The_ABAP_Underverse-WP.pdf |
| Patch : | SAP Security Notices: 1487330, 1529807 |
| Author : | Andreas Wiegenstein |
4. Remote code execution via TH_GREP
Vulnerabilities in remote command execution in ABAP gained popularity in 2011. One of the best known vulnerabilities was found in the TH_GREP function module. Interestingly, Joris found this vulnerability back in 2010, it was fixed, but our researcher Alexey Tyurin analyzed the patch and found that it did not completely solve the problem: in Windows, the patch could be bypassed. And only then this vulnerability was finally fixed. It allows an authorized user with BASIS privileges to compromise the OS and execute any commands with adm privileges.
| Spying Risk : | Critical |
| The risk of sabotage : | Critical |
| Fraud Risk : | Critical |
| Availability : | Requires BASIS user |
| Ease of operation : | High. |
| CVSSv2: | 6 |
| Description : | http://erpscan.ru/advisories/dsecrg-11-039-sap-netweaver-th_grep-module-code-injection-vulnerability-new/ |
| Patch : | SAP Security Notice: 1620632 |
| Author : | Joris van de Vis and Alexey Tyurin (Digital Security) |
5. Disclosure of JSESSIONID using the SAP Management console
Mariano Nunez found a vulnerability in the SAP MMC service that allowed anonymous reading of any log file in the SAP system. In turn, during the testing of SAP systems for penetration, we found that the JSESSIONID value is sometimes stored in the log files if the maximum trace level is set. And access to JSESSIONID means the ability to insert its value in a cookie and log into the SAP system under the guise of an existing user.
| Spying Risk : | Tall |
| The risk of sabotage : | Average |
| Fraud Risk : | Tall |
| Availability : | Medium. Requires remote access to MMC |
| Ease of operation: | Medium. Tracing must be enabled |
| CVSSv2: | 5.6 |
| Description : | http://erpscan.com/wp-content/uploads/2012/06/Top-10-most-interesting-vulnerabilities-and-attacks-in-SAP-2012-InfoSecurity-Kuwait.pdf |
| Patch : | SAP Security Notice: 1439348 |
| Author : | First discovered by Mariano Nunez; new vector found by Alexei Tyurin (Digital Security) |
3. Increasing interest
Information security trends currently focus mainly on mobile applications, cloud services, social networks and critical infrastructure, which may become the target of attackers in the near future. However, there is such an area as the security of ERP-systems, and these systems are under threat now. Therefore, a growing number of companies are involved in the security of ERP-systems and develop software to audit their security. At the same time, new companies are constantly appearing that offer specialized consulting services in the field of ERP system security.
3.1. Number of safety reports at technical conferences
Since 2006, SAP security has received increasing attention at technical security conferences such as BlackHat, HITB, etc. Since 2010, this trend has spread to other conferences. More and more companies and researchers are publishing SAP security research. From 2006 to 2009, most of the reports were devoted to the classic IS threats in the SAP landscape: SAP web application security, SAP client-side security, backdoors and Trojans for SAP. In the last year, the focus of attention has shifted to highly specialized studies of various types of vulnerabilities in SAP, in ABAP code and in SAP Kernel, such as SQL injections , buffer overflows , and vulnerabilities in the J2EE engine. The most striking examples are Verb Tampering ,Session Fixation , Invoker Servlet , as well as vulnerabilities in SAP native protocols - DIAG and P4 .

The number of SAP security reports presented at various conferences each year is shown in the graph. For 2012, an approximate amount was calculated based on data for the first 4 months.
4. SAP on the Internet
Among the many people working with SAP, there is a myth that SAP systems are isolated from the Internet, so all vulnerabilities in SAP can only be exploited by insiders.
From an interview with Sachar Paulus, Senior Vice President of Product Protection and Security at SAP, for CIO Magazine:
CIO : What, in your opinion, are the most important SAP security threats? What security aspects of SAP products do you consider the most difficult?
Sakkar : Another threat is people who connect their SAP systems to the Internet in order to strengthen the support of the logistics chain in the system or to make life easier for employees by adding new functionality. The problem here is that classic, well-studied network threats are poorly understood by the ERP community.The people who are responsible for ERP systems understand the threat of an insider attack, because they have dealt with it for many years, but when business demands dictate the need to connect the system to the Internet, these people do not think about such threats as cross-site scripting . Viruses or worms may appear under ERP platforms, while these people do not understand the importance of patches. This is the hardest challenge for organizations. To meet this challenge, collaboration is needed between people who understand the security of ERP systems and people who understand the security of the Internet, email, and web services .
Business applications are not only available from the internal network; this is a myth that was a reality ten years ago, when all the information about the company was usually stored on one server. Business is changing, and companies need network connections between different applications. They need to have contact with branches around the world, exchange data with customers through web portals, SRM and CRM systems, and have access to information from anywhere in the world through mobile solutions. Almost all business applications now have access to the Internet.
To destroy the myth mentioned above, we will demonstrate which services are available remotely, which companies they belong to and in what way these services are vulnerable to modern threats.
4.1. Google Search Results by Country
These statistics were compiled using simple queries on the well-known Google search engine.
| Application Server Type | Search query |
| SAP NetWeaver ABAP | Inurl: / SAP / BC / BSP |
| SAP NetWeaver J2EE | Inurl: / irj / portal |
| SAP BusinessObjects | inurl: infoviewapp |
As a result of the scan, about 610 unique servers with various SAP web applications were discovered. Obviously, the most popular platform is J2EE. Unfortunately, such servers are more vulnerable than the ABAP engine, since in this platform there are at least 3 different vulnerabilities that can be exploited anonymously and provide full access to the system. On the other hand, in the ABAP engine there are a lot of predefined user accounts with standard logins and passwords, and hackers can take advantage of this. And SAP BusinessObjects has both of these problems.
| Applications server | number | % |
| SAP NetWeaver J2EE | 268 | 44% |
| SAP Web Application Server | 163 | 27% |
| SAP BusinessObjects | 106 | 17% |
| SAP NetWeaver ABAP | 73 | 12% |

Application Servers by Country
4.2. Shodan Search Results by Country
Www.shodanhq.com was chosen as the second resource for searching SAP web interfaces on the Internet . The peculiarity of this service is that it not only finds applications that have been indexed by search robots, but scans the entire Internet for an open 80th port (and others), so it was used for additional search for SAP systems.
In total, we found 2677 servers with various SAP web applications. This is 4.5 times more than using Google.
| Applications server | number | % |
| SAP NetWeaver J2EE | 863 | 32% |
| SAP Web Application Server | 734 | 27% |
| SAP BusinessObjects | 686 | 26% |
| SAP NetWeaver ABAP | 394 | fifteen% |

4.3. Port Scan Results by Country
The most interesting and difficult part of the study is scanning the Internet not only for the presence of web services, but also for services that should not be accessible through the Internet at all.
At this stage, this task was performed using a simple algorithm that scanned only the server subnets that were found through Google and Shodanhq (this is about 1000 subnets). We found a large number of ports that are listened to by such SAP services as Message Server HTTP, SAP Gateway, SAP HostControl. The number of open ports will be updated online at www.sapscan.com , the project’s official website.
Another project that has not yet been completed is a global scan of the Internet for open ports. At the moment, only a number of the largest countries are fully scanned.
As an example, below are the results of a scan of Russia. In total, 58 SAP routers installed by default on port 3299 were detected. After receiving a list of SAP routers on all subnets where SAP routers were found, a scan was launched for the presence of services prohibited for external use, such as SAP Hostcontrol, SAP Dispatcher , SAP Message Server, SAP Management console.
10% of Russian companies that use SAP open direct Internet access for the SAP Dispatcher service bypassing the router.
The chart below shows the percentage of companies that open Internet access for certain critical SAP services.

5. SAP Versions
We checked which versions of the ABAP and J2EE engines are most often found on the Internet in order to understand the life cycle of SAP products and find out which versions of products are popular now. We also checked which OS and RDBMS are used most often with SAP systems.
5.1. ABAP Engine Versions
To find out the ABAP versions, we connected to the root of the application server and analyzed the HTTP responses. We also took advantage of the disclosure vulnerability. You can easily find out the version of SAP NetWeaver if the application is configured insecurely and allows an attacker to extract information from / sap / public / info.
After scanning all available SAP NetWeaver ABAP servers, it was found that 59% of them were vulnerable to information disclosure.
Better security settings, such as disabling access to all BSPs, are available by default in the EHP 2 update, but EHP 2 is installed on only 11% of the servers. This means that, even though SAP itself cares about the security of its systems, the development efforts are useless without the participation of system administrators.
The most popular version (45%) is NetWeaver 7.0, but it was released in 2005!

5.2. J2EE Engine Versions
J2EE engine version information can easily be found by reading the HTTP response. However, detailed information about the patch version is available if the application server is not configured correctly and allows the attacker to view information from some pages. For example, these two pages reveal information about the J2EE engine: /rep/build_info.jsp and /bcb/bcbadmSystemInfo.js.
After scanning all available SAP NetWeaver J2EE servers, it turned out that 62% of them are vulnerable to information disclosure through the page /rep/build_info.jsp and 17% through the page /bcb/bcbadmSystemInfo.jsp.
Detailed product version information is provided below.

5.3. Popular OSs for SAP
Using the / sap / public / info page, you can get information about the OS versions where ABAP is deployed. Analysis of the search results for SAP systems that have Internet access showed that the most popular operating systems are Windows NT (28%) and AIX (25%). Our statistics, collected during the internal audits of SAP, show the great popularity of * .NIX systems, although Windows is the leader in systems connected to the Internet.

5.4. Popular DBMSs for SAP Backend
The most popular DBMS is still Oracle - 59%. Other DBMSs are listed below.

It is worth noting that the Oracle DBMS installed with SAP is vulnerable to a very dangerous attack where authorization is bypassed and an unauthorized user gets direct access to the database without any authentication data, due to the incorrect use of the REMOTE_OS_AUTHENT parameter. This is a very old issue, published back in 2002, but it is still relevant.
6. Critical Internet Services
In addition to web interfaces that must be available on the Internet due to various business requirements, such as SAP Portal, SAP SRM, or SAP CRM, there are services that should not be accessible from the outside. They not only carry a potential risk, but also have real vulnerabilities and configuration errors, well known and well described in public sources. Of course, we do not provide a complete list of critical SAP services, only the most popular of them. About 1000 subnets of companies using SAP were scanned. The graph shows the percentage of companies where critical SAP services were open for remote access.

It is easy to notice that the most popular service is SAP Router, and this is normal, because its purpose is to be open for remote connections. But what about the rest of the services? They should not be accessible over the Internet, but available. And their number is not as small as we expected before the start of the project.
6.1. WebRFC Service with NetWeaver ABAP
WebRFC is the default web service available on the SAP NetWeaver ABAP platform. It allows you to perform dangerous RFC functions using HTTP requests to the NetWeaver ABAP port and to the / sap / bs / web / rfc page. Some of these functions are critical, for example:
• Reading data from SAP tables
• Creating SAP users
• Running OS commands
• Financial transactions, etc.
By default, any user has access to this interface and the ability to execute the RFC_PING command by sending an XML packet. To perform other functions, additional authorization is required. Thus, there are two main risks:
• If the system has a default user with a predefined password, the attacker can perform numerous dangerous RFC functions, because the default user has rather dangerous rights.
• If a hacker remotely finds out the authentication data of any existing user, he will be able to carry out a denial of service attack by sending an RFC_PING request with a modified XML packet.
WebRFC was found to be included in 40% of ABAP systems.
We did not check whether standard passwords are used in these systems, but according to various statistics collected in the course of our research and the research of colleagues, one or more accounts are by default in 95% of systems.
6.2. CTC Service with NetWeaver J2EE
CTC, or ConfigTool, is the default web service installed on the NetWeaver J2EE engine. It allows you to remotely control the J2EE engine. This web service can be found through Google, and it is often found on SAP Portal systems. It is possible to perform functions such as:
• Creating users
• Assigning roles to users
• Executing OS commands
• Remotely turning the J2EE engine on and off
Digital Security researchers have discovered a vulnerability called Verb Tampering in this service . It allows you to bypass authorization checks when remotely accessing the CTC service. This means that anyone can remotely gain full unauthorized access to all business-critical information located in the J2EE engine.
It was found that in 61% of J2EE systems on the Internet, CTC service is enabled.
We have not tested whether these systems are vulnerable, but our experience with penetration tests shows that about 50% of systems are potentially vulnerable.
6.3. SAP Message Server HTTP
SAP Message Server HTTP is the HTTP port of the SAP Message Server service, which allows you to balance the load on SAP application servers. Usually this service is available only within the company, however, in some systems external IP addresses were found that, as a rule, are not needed to perform business tasks and at the same time can lead to critical actions in the system. By default, the SAP Message Server listens on port 80NN, where NN is the system number. One of the problems of SAP Message Server HTTP is the ability to retrieve the values of the configuration parameters of the SAP system remotely without authorization. They can be used for further attacks.
Scanning a sample of 1000 subnets of companies using SAP, found 98 open for access Message Server HTTP systems. About every 10th company is vulnerable to unauthorized collection of system parameters remotely via the Internet; most of them are located in China (55%) and India (20%).
6.4. SAP Management Console
SAP HostControl is a service that allows you to remotely control SAP systems. Its main functions are remote on and off, for their use you need to know the login and password. In addition to functions requiring authorization, there are some functions available remotely without authorization. Basically, they allow you to read various system logs, trace data, and sometimes system parameters. Such functions and related problems have been fairly well studied by Chris John Riley, an independent researcher.
A much more dangerous discoveryDigital Security researchers are associated with the ability to find the value JSESSIONID in the system log files. JSESSIONID is the identifier that controls HTTP sessions. In one of the possible attacks, an attacker could insert the JSESSIONID value into a cookie of a web browser and gain unauthorized access to a user's session.
The same scan, which was discussed in the previous paragraphs, showed that in 9% of subnets, SAP Management services are open for access. There were 548 of them. Approximately every 11th company is vulnerable to attacks that allow you to remotely receive system log files or system parameter values.
6.5. SAP Dispatcher Service
SAP Dispatcher is the main client-server communication service in SAP. It allows you to connect to SAP NetWeaver using the SAP GUI application using the DIAG protocol. The SAP Dispatcher port should not be directly accessible over the Internet, and even access within the network should be provided to strictly defined users or user groups. Note: this is a Dispatcher, not a WEB Dispatcher, which, of course, must be accessible from the Internet.
However, having scanned 1000 subnets, we found 832 SAP Dispatcher services available over the Internet in 15% of networks. Every 6th company is vulnerable to DoS attacks and unauthorized access with standard passwords in SAP Dispatcher.
Why is this dangerous?
Firstly, this service allows you to directly connect to the SAP system using the SAP GUI, where an attacker does not need anything other than a valid login and password. And SAP has a lot of standard passwords, and our experience with penetration tests shows that they are relevant in 95% of systems.
Another problem that Core Security discovered some time ago is that the SAP Dispatcher service has multiple buffer overflow vulnerabilities that could lead to a denial of service attack, and one of them also allowscode execution. The exploit code was published on May 9, and now an unauthorized attacker can exploit the vulnerability without any rights in the system. The good news, however, is that the vulnerability only works if DIAG tracing is enabled at level 2 or 3 - the default value is different. There may be other problems with this service, so it should not be accessible remotely.
7. Conclusions
It can be concluded that interest in SAP security is growing exponentially. Given the growing number of vulnerabilities and the huge number of SAP systems available over the Internet, we predict that SAP systems can become a target not only for direct targeted attacks (so-called APTs), but also for mass exploitation through worms, including those using many vulnerabilities at the same time.
At the moment, we work closely with the SAP Security Response Team in the search for new vulnerabilities and attack methods, as well as protection against them, by conducting training seminars. SAP regularly publishes new documents on the secure configuration of SAP systems, thereby teaching administrators how to protect themselves from new threats. Now the main mission to protect SAP systems is entrusted to the security service and administrators who need to protect their systems by studying manuals, setting up secure configurations, installing the latest updates and auditing ABAP code on an ongoing basis.