Jean-Claude Metge

Interview with Jean-Claude Metge, SAP Security Expert

When talking about IT-security or cybersecurity we mostly think of penetration testing, endpoint security and network security, identity management etc. Not often at SAP security. Why is it so special? 

A SAP product is similar to any other products in the market. SAP is running on an Operating system, using a database solution and offering access to end users via a network. But concerning the product security itself, you are right, it is special because SAP has been designed to secure at a very low level the access to the data.  

If you define a strict Authorization concept and customize it in SAP you will have a high level of protection. 

Could you outline specific services included in your SAP security consulting offering? And how do you tailor your consulting services to the specific needs and requirements of each client? 

My SAP Security consulting basically covers the Top 10 well known vulnerabilities:

  • Configuration errors and leaving settings on insecure defaults. 
  • Poorly Managed Security Logs 
  • Incomplete Patch Management 
  • Default Credentials 
  • Inadequate User Authorization controls 
  • Unsecured Interfaces 
  • Inadequate Authentication 
  • Insecure Custom Code 
  • Lack of Security Awareness 
  • Obsolete and Unsupported Systems 

I can then evaluate the quality of the current security level and based on the results I propose solutions to improve it. 

What is your methodology and approach when conducting SAP security assessments? How do you identify vulnerabilities and assess the overall security posture of SAP environments? 

I usually perform an interview or have direct access to the SAP system if possible: I then go over around 200 checkpoints and provide the final results. 

What are usually the biggest challenges in the SAP environment which have an impact on security? 

Out of my experience it is users with “privileged access” like administrative rights, sometimes full rights! It could be shared users or internal users but also external or SAP Support members. This should be detected and monitored in real time. 

Is there a significant difference in the approach between the SAP version R/3 or S4Hana? 

No, I don’t see a different approach, the only big difference on S/4 is the possibility to manage a big amount of data in real time (all in memory).