SAP Security Vulnerabilities: Detect, Then Fix

SAP Security: The Real Risk Hides in Custom Code

Most SAP security work focuses on standard configuration: SoD checks, role authorizations, password policies. These matter, but they only address one part of the picture. Custom developments — the Z code in your system — are often the bigger and less visible risk surface.

A typical SAP system contains thousands of Z programs, function modules, classes, and enhancements. Each one is a candidate for SQL injection, missing authorization checks, hard-coded credentials, or sensitive data leakage. Most organizations cannot keep up with manual review of this code at scale.

Common Security Issues

In Z code we frequently see:

1. SQL Injection

SELECT * FROM customer
  WHERE name LIKE '%' && p_input && '%'.

If p_input comes from a user, the query is wide open to injection. Use parametrized queries instead.

2. Missing Authorization Checks

SELECT * FROM payroll_data
  WHERE empnr = p_empnr.
" No authorization check

Sensitive data is accessed without checking that the caller has the right authorizations. Always include AUTHORITY-CHECK.

3. Hard-Coded Secrets

DATA(lv_password) = 'admin123'.
DATA(lv_api_key) = 'sk-12345...'.

Credentials live inside code. Anyone with access to the source can extract them. Use the secure storage layer (SSF, SECSTORE) instead.

4. Sensitive Data in Logs

WRITE: / 'Card Number:', lv_card_number.
WRITE: / 'TC Number:', lv_tc.

Sensitive data is dropped to the system log, accessible to anyone who can read logs.

The VEX-HUB Approach

Traditional tools like SAP Code Inspector and ATC catch some of these — but they only report. The fix is left to the developer. In practice, that means most flagged issues sit in the report and never get fixed.

VEX-HUB takes a different approach:

1. Comprehensive Scanning

It scans all custom code in your system — Z programs, function modules, classes, enhancements, includes — against OWASP and SAP security standards.

2. Risk-Based Prioritization

Not every vulnerability is equally dangerous. VEX-HUB classifies findings:

• Critical: Exposed to direct attack and exploitable (e.g., SQL injection on a user-facing report)
• High: Real vulnerability but requires specific access (e.g., a missing authorization check on a back-office program)
• Medium: Best-practice violation, low real-world impact
• Low: Style or warning-level issue

You can focus on Critical and High first.

3. Automated Remediation

This is where VEX-HUB diverges from traditional tools. For each detected issue, VEX-HUB prepares the fix code:

" Before
SELECT * FROM customer WHERE name LIKE '%' && p_input && '%'.

" After (proposed by VEX-HUB)
SELECT * FROM customer WHERE name LIKE @( '%' && p_input && '%' ).

You review the change, approve it, and VEX-HUB applies it. No need to schedule developer time for hundreds of small fixes.

4. Verification Re-Scan

After applying a fix, VEX-HUB re-scans to confirm the issue is closed. If something else surfaces, it's flagged for the next cycle.

Audit Readiness

Internal audits, ISO 27001, SOC 2, and data privacy requirements increasingly demand evidence of security scanning and remediation. VEX-HUB produces this evidence automatically:

• Detailed scan reports
• Remediation history (what was found, what was fixed, when, who approved)
• Current security posture

When the auditor asks "do you scan custom code regularly?", you don't search for screenshots — you produce a current report.

Continuous Scanning

Security is not a one-time event. Every new piece of code is a candidate for new vulnerabilities. VEX-HUB scans:

• Continuously (every commit / every night)
• After every transport
• On demand for ad-hoc analysis

New code is scanned the moment it's saved.

Conclusion

SAP security is no longer just a configuration topic. Custom code is one of the largest risk surfaces, and most organizations cannot keep up with manual review. VEX-HUB Security Scanning gives you a comprehensive scan with automated remediation — coverage you cannot achieve manually.

Ready to assess your system? Request a demo.