Request A demo

In any SAP environment, transports are essential to moving changes from one system to another, implementing new features, applying updates, and installing third-party applications. As elementary as these deliveries are, however, unchecked, they provide gateways for the import of risky objects. As a result, attempts to detect potential threats via SAP standards quickly reach their limits. Still, there are ways to detect them during the creation or import process rather than after the fact.

What is An SAP Transport?

A transport could include products, patches, coding, database contents, roles, or authorization objects. Simply put, an SAP transport is a container for exchange between systems. Normally, the transport is created on a development system, released there, and exported, i.e., corresponding files are created in the transport directory. It is then added to the import queue of a production system, for example, and is ready for import.

From a security point of view, it is crucial that the completion of an import automatically activates everything contained, whether code or database content – and consequently, any security vulnerability that may be contained. Therefore, all content must have been checked and all threats detected before any import.

The Challenges of Exporting and Importing SAP Transports

Developers require extensive authorizations, for example, to debug something, to fill transports, in some cases to create them, to release them if necessary, and in any case, to modify coding. This is accompanied by a high-risk potential for manipulation via hidden SAP_ALL, Hidden OK codes in the transaction call, or modified RFC pings. This is because there are numerous ways for experts to transfer transports from the development system to other systems.

Development systems are prioritized less in the security scope; for example, internal audits are extended to these systems less frequently. This is understandable since development systems are used to work with far-reaching authorizations and critical elements. In addition, ABAP coding can be unwieldy, with reports containing 10,000 lines and more. So, manually checking the contents of the entire code for vulnerabilities is not a realistic option, given the sheer volume of data.

Where Does the SAP Standard Provide Support?

So, what can the SAP standard do to minimize risks in SAP transports? In any case, the ABAP Test Cockpit (ATC) should be actively used in development, and coding should be checked automatically during creation or at least in the transport process. However, one challenge with the ABAP Test Cockpit is that it does not go deep into the security cases. As a result, code scanning is not always complete and leaves many gaps. Thus, it is also recommended to set up a ChaRM, a Change and Request Management, which helps increase transparency and process compliance.

Finally, STMS_TCRI can be maintained on downstream systems such as QA or production systems even before an import. Here a list of safety-critical objects can be stored whose import is automatically blocked. The problem is that anyone with elevated authorization access could bypass this and even make it unnoticeable. While the SAP standard is an essential tool, the depth of the scans is simply not sufficient in the standard.

Extension by Tool-supported Transport Control and Code Scan

In order to ensure comprehensive control over transports, one should specifically extend and expand the SAP standard. Combining it with solutions such as Pathlock makes it almost impossible to bypass all security steps. This starts in the development system through a code-scanning extension of the ATC with over 80 test cases. The ATC also allows a scan to be done before release, making it possible to automatically include this extension in a transport scan with the standard functionality but with control over security vulnerabilities.

The next step is an export control layer. With this option, basically, every export is monitored, the objects within an SAP transport are checked for criticality, and, if necessary, the entire transport is blocked. This is followed by the logging of the security event so that the whole event can be tracked. Additionally, there is the option to monitor each import too. For both these methods, Pathlock provides trusted options to enable importing of critical objects like a self-executing program, if necessary. And lastly, the solution can perform ad-hoc scans to check or retrospectively see if content is critical.

The Advantages of a Tool-based Solution

SAP standard functionalities for transport analyses quickly reach their limits. A tool extension not only reduces the effort and but also enables automation of transport control. Integration takes place using the standard mechanisms provided by SAP without revising already established mechanisms. Extensions such as those provided by Pathlock take control analyses a decisive step further and enable checks for critical content even before it is released for import into the SAP systems, and this happens in real time, even during implementation.

By automatically blocking incorrect or risky SAP transports, development teams can fix problems before the quality, security or compliance of the SAP system is compromised, regardless of whether the problem is poor coding, faulty configuration or deliberate manipulation. The set of rules can be extended individually; you can create your own patterns, define your own search patterns and use them to search specifically for weak points.

The solution can be customized and implemented without any programming knowledge, thereby turning the extended SAP standard into a robust threat detection system that can be used to automatically block critical content and track it via a security dashboard. And finally, another significant advantage is that all findings can be exported to other tools, like an SIEM tool, for example to provide you with a comprehensive view of your entire threat landscape.

Get in touch with us to learn more about how you can extend you SAP security capabilities.

Table of contents