Audit or Penetration testing? Find your vulnerabilities before you get hurt!

SAST-Blog_Audit-vs-Pentest_Abb_1804To answer the question of which Security & Compliance check is right for you, we must first remember that the term “vulnerabilities” can refer to very different levels of your system landscape and thus refer to a number of attack vectors.

This ranges from system-side levels (e.g. operating system and network security) to the underlying database including the current parameterization of your SAP systems down to the authorizations required for operations and applications, including any SoD conflicts.

So, the first question is – how sure are you that you know where your vulnerabilities are?Security & Compliance audit:
The perfect way to take stock of your SAP system security.

Our audits are designed to help you determine your SAP landscape’s actual risk exposure and pinpoint areas that are open to potential attacks. They include everything from your infrastructure and SAP system parameters to individual component configurations and authorizations. In addition to analyzing conflicts in the segregation of duties (SoD), we check whether third parties are logging into your systems without user IDs and whether users with low-level authorizations can potentially gain further privileges without attracting attention.

If your company’s migration to SAP HANA or S/4HANA is right around the corner, an audit offers an ideal solution for security guarding your systems and taking all the necessary security measures before you start your transition.

Based on the results of this “passive” review of the underlying SAP systems, we can then easily draw up a catalog of actions and recommendations for you that will result in concrete actions for hardening your system.

Our Security & Compliance audits at a glance:
–  Full transparency regarding the actual risks your systems face
–  Checks based on SAP’s security guidelines, recommendations from BSI, and the DIN ISO 27001 standard
–  Coverage for every level of your SAP landscape and evaluation of your authorization, emergency user, and operational concepts
–  Concepts you can reuse in future implementations
–  Systematic analyses facilitated by our certified GRC software, SAST Suite
–  Final presentation of results, including the degree to which your systems deviate from the ideal situation

Penetration tests:
The toughest stress test for your SAP landscape

From external attacks to manipulations by internal entities, our experts can simulate various incursions to mimic common attack patterns and methods, force their way into your SAP systems, and reveal their last remaining vulnerabilities.

These “active” attack scenarios permit key assertions to be made about the current security level of your SAP system. Our approach and results mean that you also get a report with concrete recommendations for eliminating any risks uncovered during system penetration tests.

Our penetration testing at a glance:
–  Full transparency regarding how vulnerable your systems are to attacks
–  Reveal the vulnerabilities in your SAP systems and authorizations
–  Realistic attack patterns simulate external hacks and internal manipulation (black- and white-box testing)
–  Simulated incursions based on the latest BSI recommendations and our proven best-practice scenarios
–  A final presentation that includes documentation of our assessment methods, the results of our simulated attacks, and tailored recommendations for your company
–  Follow-up workshop where we present the vulnerabilities we’ve found and explain the specific risks your company faces

Conclusion: Security & Compliance audit vs. pen test

By contrast to a pen test, a Security & Compliance audit goes much deeper. Based on our passive analysis and with the support of the SAST Suite, an audit provides a noticeably broader foundation for the analysis.

However, if the actual and provable exploitation of concrete security loopholes is the focus – in the view of the potential attacker – then a pen test will be the better option for you.

Or do you only need to take stock of the most acute security flaws in one of your SAP systems?
Then we recommend our Security Quick Audit. This service includes a review of the relevant security levels at hand, an assessment of the 10 most critical findings in your system and its authorizations, and a final presentation by our experts.
Ideal for companies who are taking a closer look at the subject of SAP security and compliance for the first time and thus need help setting priorities for the tasks in the queue.

Whether you count yourself among the beginners or the professionals, we’d love to help you find the perfect path to truly secure SAP systems.

Axel Giese
Axel Giese
Head of Security Consulting at AKQUINET

Even as threat profiles evolve and new security-relevant factors emerge, our SAST Suite and SAST Managed Services will provide your systems with comprehensive long-term protection following a pen test or audit.
Get in touch with us: knowhow@akquinet.de