{"id":8055,"date":"2022-09-19T12:28:51","date_gmt":"2022-09-19T10:28:51","guid":{"rendered":"http:\/\/inprosec.com\/?p=8055"},"modified":"2025-10-09T12:50:31","modified_gmt":"2025-10-09T10:50:31","slug":"sap-security-assessment","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/","title":{"rendered":"Evaluation of SAP security"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">During this article we are going to focus on the integral service<strong> SAP Security Assessment<\/strong> (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the system (confidentiality, integrity and availability of the information) in SAP systems.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To begin with, it will be detailed what security checks has this service, what can we expect from it and finally an example of one of the technical controls will be shown.<\/span><\/p>\n\n<h2>Security Checks<\/h2>\n<p><span style=\"font-weight: 400;\">This SAP Security Assessment has more than 40 security checks distributed in 3 big groups:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Installation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Security<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">System Status<\/span><\/li>\n<\/ul>\n<h3><b>INSTALLATION<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">In this section, all software versions are checked in the different SAP components. Furthermore, all implemented security notes in the system are also checked and validated.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-8057\" src=\"http:\/\/inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-2.png\" alt=\"\" width=\"247\" height=\"229\" \/><\/p>\n<h3><b>SECURITY<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">This is the main category of the security assessment, and which has the following sections:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Users and their passwords.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Authorization checks.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">RFC connections and web services.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configurations related to the client.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SNC &amp; SSO (Security Network Connection &amp; Single-Sign On)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Audit logs and security files.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Custom code (Z).<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/li>\n<\/ul>\n<h3><b>SYSTEM STATUS<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">This last category is related to the system performance and the maintenance status of the Jobs.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-8063\" src=\"http:\/\/inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment.png\" alt=\"\" width=\"287\" height=\"287\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment.png 287w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-150x150.png 150w\" sizes=\"(max-width: 287px) 100vw, 287px\" \/><\/p>\n<h2><b>SAP Security Assessment<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Once the introduction of this service has been done, now we will describe the structure of how each control is done inside the SSA.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Each control will have its own table with the following structure:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Risk<\/b><\/td>\n<td><span style=\"font-weight: 400;\">It is rated on a scale of Low\/Medium\/High, depending on the impact that the threat may have on the system, and the probability of this happens.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Detail<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Short description of the information analysed in the control.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Threat<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Description of the security incidents that may occur in the system, in case of security deficiencies.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Environment<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Specifies the environment in which the control will be analysed and in which the information will be extracted. It may be one of the environments or a combination of them: PRD, QAS y DEV.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Advice<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Group of proposals focused on mitigating or solving a deficiency detected in one of the controls.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">It is relevant to note that, these controls are done in different type of SAP systems such as NetWeaver AS ABAP, NetWeaver AS JAVA and HANA data bases. In addition, for most controls, the only environment to consider will be the productive one (PRD), but there are some exceptions in which it will also be necessary to analyse the settings in quality environments (QAS) and development (DEV). Even in some case, only the development environment will be analysed:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Controls in which they will be analysed in PRD, QAS and DEV:<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Standard Users.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Password Cracking.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Remote Logon.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Controls in which it will be analysed only in DEV:<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Security Notes.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Authorization Checks.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Custom Tcodes code\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Finally, in each control will be detailed the compliance status, which according to predefined criteria, it evaluates the state of the system respect to that control and if it is <\/span><span style=\"color: #339966;\"><b>OK<\/b><\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"color: #ffcc00;\"><b> PARTIAL<\/b> <\/span><span style=\"font-weight: 400;\">or <\/span><span style=\"color: #ff0000;\"><b>KO<\/b><\/span><span style=\"font-weight: 400;\">:<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8061\" src=\"http:\/\/inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-4.png\" alt=\"\" width=\"701\" height=\"199\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-4.png 940w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-4-300x85.png 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-4-600x170.png 600w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><\/p>\n<h2><b>Security Control: Password Cracking\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">So based in the previous point, the case of one of the controls that are part of the SAP Security Assessment will be detailed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On this occasion, will be commented this <\/span><b>analysis about the password encryption method used with SAP users<\/b><span style=\"font-weight: 400;\">, which may use obsolete algorithms that could be cracked with external brute force tools.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The following table provides all the information related to the control:\u00a0<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Risk<\/b><\/td>\n<td><span style=\"font-weight: 400;\">High (High Impact, High Probability)<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Detail<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Analysis of the hash used to encrypt the passwords and password cracking test. The MD5 hash type (BCODE field) and SHA1 (PASSCODE field) are easily decipherable<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Threat<\/b><\/td>\n<td><span style=\"font-weight: 400;\">The use of old encryption methods (hashes) makes it easier for an attacker to obtain user passwords. To obtain the hash of the passwords, it is enough to obtain the information from one of the following tables: USH02, USH02_ARC_TMP, USR02, USRPWDHISTORY, VUSER001, VUSR02_PWD.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Because password decryption is performed outside the SAP system, there are no options to prevent the brute force attack.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Environment<\/b><\/td>\n<td><span style=\"font-weight: 400;\">PRD, QAS, DEV<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Advice<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Set the value 0 in the parameter <\/span><i><span style=\"font-weight: 400;\">login\/password<\/span><\/i><\/p>\n<p><i><span style=\"font-weight: 400;\">_downwards_compatibility.<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">Run the CLEANUP_PASSWORD_HASH_VALUES program to remove old hashes.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Increase the security of the password policy.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Include most used passwords in the list of prohibited words in the USR40 table, to make decryption by brute force harder to the attacker.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The key for this control is based on the &lt;login\/password_downwards_compatibility&gt; parameter, which manages compatibility with legacy versions of encryption types on BCODES. These alphanumeric \u201cBCODE\u201d elements are a hash that corresponds to the first 8 characters of a user password. Because these elements are stored in tables, there is a chance that an attack could reach one of these containers and obtain the values. Whether the parameter allows obsolete encryption methods such as MD5 (128-bit cryptographic reduction algorithm) or the SHA1 (160-bit hash value), decryption using external brute force tools it is highly probable.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-8059\" src=\"http:\/\/inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-3.png\" alt=\"\" width=\"159\" height=\"159\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-3.png 159w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assesment-3-150x150.png 150w\" sizes=\"(max-width: 159px) 100vw, 159px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Furthermore, another possible recommendation to make it more difficult for attackers is to create a list of prohibited words (table USR40) which no employee will be able to use for his login password. For example, this can have words such as:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Top 10 most used passwords (Password, Admin, qwerty, 123456\u2026.)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Company name or derivatives<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Names of employees, plants or products<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Birthday days<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Name of the months<\/span><\/li>\n<\/ul>\n<h2><b>Key Points to Take Home<\/b><\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The SAP Security Assessment offers a snapshot of the current state of the SAP system with real and truthful information.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It allows to detect deficiencies in the current technical configuration.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A detailed results report is included together with a letter of recommendations for each control.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">These security checks can be automated in Configuration Validation, one of the Solution Manager tools that we will explain specifically in another article.<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8065\" src=\"http:\/\/inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assessment-5.png\" alt=\"\" width=\"455\" height=\"322\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assessment-5.png 1121w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assessment-5-300x212.png 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assessment-5-1024x724.png 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/09\/SAP-Security-Assessment-5-600x424.png 600w\" sizes=\"(max-width: 455px) 100vw, 455px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>During this article we are going to focus on the integral service SAP Security Assessment (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the system (confidentiality, integrity and availability of the information) in SAP systems. To begin&#8230;<\/p>\n","protected":false},"author":6,"featured_media":7911,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[61,52],"tags":[153,172],"class_list":["post-8055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sap-security-en-2","category-technical-article","tag-sap-security","tag-sap-security-assessment-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.3 (Yoast SEO v27.5) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Evaluation of SAP security - Inprosec<\/title>\n<meta name=\"description\" content=\"During this article we are going to focus on the integral service SAP Security Assessment (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the SAP systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Evaluation of SAP security\" \/>\n<meta property=\"og:description\" content=\"During this article we are going to focus on the integral service SAP Security Assessment (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the SAP systems.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-19T10:28:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-09T10:50:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/07\/Recurso-SAP-Security-Assesment.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fernando Mosquera\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Mosquera\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/\"},\"author\":{\"name\":\"Fernando Mosquera\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"headline\":\"Evaluation of SAP security\",\"datePublished\":\"2022-09-19T10:28:51+00:00\",\"dateModified\":\"2025-10-09T10:50:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/\"},\"wordCount\":959,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/Recurso-SAP-Security-Assesment.jpg\",\"keywords\":[\"SAP Security\",\"SAP Security Assessment\"],\"articleSection\":[\"SAP Security\",\"Technical Article\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/\",\"name\":\"Evaluation of SAP security - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/Recurso-SAP-Security-Assesment.jpg\",\"datePublished\":\"2022-09-19T10:28:51+00:00\",\"dateModified\":\"2025-10-09T10:50:31+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"description\":\"During this article we are going to focus on the integral service SAP Security Assessment (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the SAP systems.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/Recurso-SAP-Security-Assesment.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/Recurso-SAP-Security-Assesment.jpg\",\"width\":1536,\"height\":768},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-assessment\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Evaluation of SAP security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\",\"name\":\"Fernando Mosquera\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"caption\":\"Fernando Mosquera\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Evaluation of SAP security - Inprosec","description":"During this article we are going to focus on the integral service SAP Security Assessment (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the SAP systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/","og_locale":"en_US","og_type":"article","og_title":"Evaluation of SAP security","og_description":"During this article we are going to focus on the integral service SAP Security Assessment (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the SAP systems.","og_url":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/","og_site_name":"Inprosec","article_published_time":"2022-09-19T10:28:51+00:00","article_modified_time":"2025-10-09T10:50:31+00:00","og_image":[{"width":1536,"height":768,"url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/07\/Recurso-SAP-Security-Assesment.jpg","type":"image\/jpeg"}],"author":"Fernando Mosquera","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fernando Mosquera","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/"},"author":{"name":"Fernando Mosquera","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"headline":"Evaluation of SAP security","datePublished":"2022-09-19T10:28:51+00:00","dateModified":"2025-10-09T10:50:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/"},"wordCount":959,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/07\/Recurso-SAP-Security-Assesment.jpg","keywords":["SAP Security","SAP Security Assessment"],"articleSection":["SAP Security","Technical Article"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/","url":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/","name":"Evaluation of SAP security - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/07\/Recurso-SAP-Security-Assesment.jpg","datePublished":"2022-09-19T10:28:51+00:00","dateModified":"2025-10-09T10:50:31+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"description":"During this article we are going to focus on the integral service SAP Security Assessment (SSA), which gives the opportunity to have truthful information in real time about the main risks and unsecure configuration settings that can compromise the security of the SAP systems.","breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/sap-security-assessment\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#primaryimage","url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/07\/Recurso-SAP-Security-Assesment.jpg","contentUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2022\/07\/Recurso-SAP-Security-Assesment.jpg","width":1536,"height":768},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/sap-security-assessment\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"Evaluation of SAP security"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2","name":"Fernando Mosquera","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","caption":"Fernando Mosquera"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/8055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=8055"}],"version-history":[{"count":4,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/8055\/revisions"}],"predecessor-version":[{"id":9065,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/8055\/revisions\/9065"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media\/7911"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=8055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=8055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=8055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}