HomeServicesSAPSecurity Audit of SAP ABAP & JAVA Applications

Onapsis Latest Publications

SAP Security In-Depth Vol.4

Read Case Study

Westinghouse Electric

Consulting Services

Security Audit of SAP ABAP & JAVA Applications

“Are my custom applications exposing my SAP systems to cyber attacks? Have a malicious developer installed backdoors in my source code? How can I secure my custom SAP Applications?”

The Security Audit of SAP ABAP & JAVA Applications service helps you identify, assess and mitigate existing security threats to the custom applications running in your SAP systems.

Most organizations need to fine-tune the standard SAP functionality to integrate their customized business processes. This is implemented by developing custom applications that run on top of your SAP systems and may interact with your sensitive business information.

These applications can be developed in a variety of languages and models, such as ABAP, ABAP OO, Java, WebDynpro for ABAP, WebDynpro for Java, HTMLB and others, each one requiring their own specific security considerations.

Through this service, Onapsis’ experts scan the source code of the target applications looking for security vulnerabilities that could be exposing your sensitive business information. Some examples of these weaknesses and attack vectors are:

  • ABAP Code Injection
  • OSQL Injection
  • ADBC Injection
  • Backdoors
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (XSRF)
  • Invoker Servlet Unsafe Mappings
  • Directory Traversal
  • Dangerous Kernel calls
  • Buffer overflows
  • Insecure file handling
  • Missing authorization checks
  • Dangerous RFC functionality
  • BIZEC APP/11 issues

In order to obtain a detailed list of the exclusive checks comprehended in this service, please contact us here.

Key Benefits:

  • Discover security threats affecting your custom SAP Applications that could lead to attacks against your business information.
  • Raise awareness regarding the importance of Secure Development Life-cycles in your SAP environment.
  • Use the detailed mitigation recommendations as a guideline to improve the security of future developments.


  • Executive Report with a summary of existing risks and the possible impacts for the business.
  • Detailed Technical Report, providing detailed vulnerability information.
  • Mitigation Plan Report, presenting a recommended action plan with detailed mitigation activities for each detected issue.