Cybersecurity for SAP is available from SAP Press. ASUG members can enjoy 15% off any SAP Press titles with the discount code 15ASUG.
When cybersecurity professionals Juan Perez-Etchegoyen and Gaurav Singh co-authored Cybersecurity for SAP, a step-by-step guide to implementing infrastructure and network security throughout SAP landscapes, they weren't expecting a runaway bestseller.
But their timing, the co-authors recently reflected in a virtual SAP Book Club session, couldn't have been better. Released shortly ahead of this year's SAP Sapphire & ASUG Annual Conference, the publication shot up the SAP Press bestseller charts, signaling to Singh and Perez-Etchegoyen that the SAP community was eager to tackle what they characterize as long-standing, still unresolved gaps in how customers' organizations secure SAP environments.
The challenge is multi-pronged, with technical, cultural, and even linguistic factors contributing to the complexity of SAP security, Singh and Perez-Etchegoyen explained to session moderator Kendall Tyler, Director of SAP Partner Success at Cognizant, who serves as the host of SAP Press Book Club.
Traditional SAP security and enterprise cybersecurity practices have developed over time in parallel but disconnected silos, they noted. "Cybersecurity for SAP is a mindset shift," said Singh, who serves as a senior manager of cybersecurity at Under Armor. “It’s about bringing two different silos together: the information security people and the SAP security or Basis people.”
More than merely a buzzword, SAP cybersecurity is an issue that IT and business leaders must prioritize addressing as they modernize their technology investments and shift to the cloud while embracing AI and other emerging innovations.
Here are six key insights from the discussion:
From Role Management to Risk Mitigation
Historically, SAP security has been the domain of SAP Basis administrators, generally comprising teams of IT professionals focused on user provisioning, GRC (Governance, Risk, and Compliance), and Segregation of Duties (SoD). That work remains essential. But as Singh and Perez-Etchegoyen pointed out, it’s no longer enough to protect against the kinds of external threats that target enterprise software today.
For too long, cybersecurity teams treated SAP systems as a “black box,” and SAP users confined their understanding of security to a series of roles and authorizations. The result? Critical business systems were often overlooked within broader enterprise security strategies.
“The root of the gap is that security was always understood as admin work: adding permissions, building roles, and so on,” explained Perez-Etchegoyen, who has served as CTO of Onapsis for over 14 years. “Meanwhile, cybersecurity teams never had visibility or control over the SAP landscape.”
Cybersecurity for SAP aims to fill this vacuum by defining what a modern SAP security posture looks like, detailing the importance of establishing a practice that incorporates vulnerability management, threat detection, incident response, and business continuity alongside traditional access governance.
A Bigger Attack Surface
While SAP systems increasingly operate in the cloud, the authors cautioned against assuming that standard cloud security measures are sufficient to protect organizations' landscapes. “Cloud security is part of the SAP cybersecurity. It’s not the other way around,” Singh explained. The application layer—where SAP-specific roles, clients, and configurations reside—introduces unique complexities and risks that extend well beyond infrastructure-level protections.
SAP environments were once kept behind firewalls in on-premises data centers, but the shift to S/4HANA, BTP, and RISE has changed that equation. Today’s SAP systems are cloud-connected, API-driven, and highly extensible. Each connection, however, expands the attack surface.
Even systems once thought to be essentially secure behind a firewall are now interconnected, including via tools like SAP Cloud Connector and SAP Router, which create pathways between on-premises and SaaS components. The complexity of this hybrid model often obscures the fact that even small configuration gaps can expose sensitive data to the internet.
Adding to the concern is the ease with which attackers can now understand and exploit SAP technology. Modern SAP platforms incorporate non-SAP technologies like JavaScript, open APIs, and AI services, which are already familiar terrain for many threat actors.
“If they don’t understand SAP the way they want to, there’s always help for them to make it easier,” remarked Singh. “AI makes it so much easier to decipher [SAP] the way they want to decipher it.”
Real-World Exploits and a Wake-Up Call
SAP cybersecurity isn’t just a theoretical concern. The authors highlighted multiple recent examples of active exploitation, including the zero-day vulnerability CVE-2025-31324, which was being used to compromise SAP applications just weeks before the event was held. The vulnerability, which had a CVSS score of 10, impacted core components of SAP software and prompted SAP to release an out-of-cycle patch beyond its typical 18-month maintenance window.
The cybersecurity firm Mandiant "responded to over 200 incidents on this vulnerability alone,” noted Perez-Etchegoyen. “Organizations that reacted quickly avoided the second wave of exploitation. Those that didn’t were hit by crypto miners, malware, and additional threats.”
He also pointed to a recent bankruptcy filing in which the affected company cited a cyberattack on its SAP systems as a material event. “This is happening. We need to be purposeful to prevent it and be well-positioned in the case of a critical vulnerability of an active expectation or [the case of] someone trying to break into our organization,” he said.
While operating system-level vulnerabilities remain a concern, both authors emphasized that the application layer is now the top target for threat actors focused on SAP. Complex and often under-monitored, this layer offers the highest potential return for attackers—and often their path of least resistance.
Patch Management and Shared Responsibility
Organizations need formal processes to address these risks, starting with regular patching. SAP’s Security Patch Day, held on the second Tuesday of each month, typically introduces dozens of new security notes, several of which may be critical.
“The good thing is that this is planned; Basis admins are prepared and ready to prioritize and apply security patches," said Perez-Etchegoyen. But doing do requires established processes.
Ownership becomes more complex in cloud-hosted environments, particularly those running under the RISE with SAP model. In these deployments, SAP manages the infrastructure and certain components of the application stack, but the customer remains responsible for their data and business client configurations. This is known as the shared responsibility model and, according to the authors, too few customers fully understand it.
“Ultimately, it’s your data,” said Perez-Etchegoyen. “The organization is responsible for ensuring the controls are in place to prevent someone from accessing that.”
When asked whether customers should outsource SAP security or retain it in-house, Perez-Etchegoyen emphasized that there’s no one-size-fits-all answer. “It really depends on the organization and their appetite to own some of that knowledge and some of those processes,” he said. Some organizations rely heavily on consulting partners, while others prioritize internal ownership of SAP cybersecurity expertise.
Visibility is critical. Whether through manual checks or third-party tools, organizations must maintain the ability to monitor vulnerabilities, validate patches, and audit system configurations.
Tools, Frameworks, and the Limits of SIEM
The authors also addressed questions about security tooling, especially around Security Information and Event Management (SIEM) platforms. While valuable for detection and forensics, SIEMs are not a cure-all. They represent one layer, specifically the “detect” and “respond/recover” functions, within a much broader security framework.
“Security is a marathon, not a sprint,” said Singh. “You need governance, visibility, hardening, detection, and response. You still have to have all those things covered on different functions: the whole spectrum, not just one piece. It’s one piece of the puzzle.”
Such systems include planning for business continuity and disaster recovery, not just perimeter defense. As Singh added, “You have to know your RTO and RPO. If there’s an incident, can you recover from it?”
The Path Forward: Mindset, Culture, and Community
More than anything, Singh and Perez-Etchegoyen want readers to understand that SAP cybersecurity is not the responsibility of a single team or function. It’s a shared mandate that cuts across Basis, information security (infosec), development, and business operations—and it starts with education.
“Security has been perceived as a blocker, whereas it should and can be an enabler,” explained Perez-Etchegoyen. “Instead of being perceived as the guys that are blocking the project and putting up roadblocks, how do we enable them?”
He posed the question: “How do we help adopt technologies faster? How do we help accelerate development of new applications, of new capabilities, using open-source, using AI, using all of these great things, but in a secure and controlled way?”
The shift is defined by language and culture as much as it is by technical know-how. SAP professionals speak in T-codes, roles, and compliance frameworks; cybersecurity professionals talk about CVEs, SIEMs, and exploits. Bridging those two worlds requires not just collaboration, but mutual fluency.
“You can’t fight this battle alone. You’re going to need a team to protect your SAP ecosystem,” emphasized Singh.
That also means embracing continuous learning. The book is framed not as a definitive guide but as a place to start, extending an invitation to readers to help build a broader SAP cybersecurity community.
Cybersecurity for SAP is available from SAP Press. ASUG members can enjoy 15% off any SAP Press titles with the discount code 15ASUG.