SAP S4/HANA Security Audit Study Case
Client Overview:
The audited company is a significant commodity enterprise in Asia, originating from a cooperative in a Southeast Asian country and has expanded into an international conglomerate with presences in 18 countries over the past 15 years. In 2020, the company generated a turnover of USD 51.3 billion, with China contributing to approximately 60% of this revenue, making it the company’s largest market.
At the heart of the value chain, the company has various roles, primarily serving producers with feed, grain, fertilizers, agricultural lime, plant protection products, and vitamins and minerals for livestock. It also functions as a fuel supplier and provides services like risk management. With producers as suppliers, the company processes and resells various products such as malted grains, seed grain, feed, and cereal grains. It is also a significant exporter in Asia and processes and sells agricultural products like palm oil and seafood products.
Project Overview:
The objective of the security assessment is to ensure the SAP S/4 Application adheres to the best security practices before its initial launch. This assessment, with its findings and mitigation strategies, aims to prevent GDPR violations, shield the application from fraudulent usage, and fortify the SAP S/4 Application against cyber threats including ransomware.
The assessment’s tasks will include describing security controls for the SAP S/4 HANA Application, reviewing compliance with established security procedures and best practices, and confirming the mitigation of known security issues from SAP ECC Application. Additionally, suitable software will be selected and implemented to help mitigate new and known issues not addressed by the SAP S/4 HANA Application. Analysis of all outgoing integration points can be included as an optional task.
Approach:
The security team executed a comprehensive security audit, examining multiple facets of the system. The audit included a rigorous assessment of the SAP S4/HANA application implementation, a review of the server build, and an inspection of the broader infrastructure.
The SAP HANA application implementation audit involved a thorough evaluation of the application’s compliance with best security practices. We investigated the application’s ability to mitigate known security risks and assessed its resilience against cyber threats.
The server build review focused on scrutinizing the design, configuration, and implementation of the server. We examined the server’s adherence to recognized industry standards, evaluated its security controls, and verified the application of relevant patches and updates.
In the infrastructure review, our team analyzed the system’s overall architecture, focusing on its security aspects. We assessed its resilience against potential threats, evaluated the efficiency of its security protocols, and examined the adequacy of its defense mechanisms.
This holistic auditing approach ensured that each critical component of the client’s system underwent a rigorous security assessment. Consequently, our audit provided the client with a comprehensive understanding of their system’s security stance, revealing potential vulnerabilities and offering actionable recommendations for enhancing their security posture.
Results:
During security assessment of the systems, we identified several areas of potential risk. Specifically, our infrastructure testing revealed three instances of medium risk and three instances of low risk. While these vulnerabilities may not present immediate high-level threats, they could compromise system integrity over time if left unattended. Our server build review further indicated one medium risk issue, which if unresolved, has potential for negative impact. Lastly, our review of the SAP HANA application surfaced nine low risk instances. Although these are categorized as low risk, we consider it essential to address them to maintain a robust application environment and avoid any potential escalations.

Senior Cyber Security Engineer @ Cyber Threat Defense