How secure is hosted data in a SAP environment? This question was subject of a talk which Andreas Wiegenstein from Virtual Forge gave at the Troopers14 Conference in Heidelberg (Germany).
In his talk Mr. Wiegenstein demonstrated potential attack vectors to SAP systems and applications and pointed to risks which are introduced by custom coding provided by any of the hosted parties.
Andreas Wiegenstein also covered vulnerabilities and backdoors in the SAP standard (including several zero-days discovered by Virtual Forge) and how they could be used in order to access hosted SAP data.
The talk provided valuable advice for SAP customers that rely on hosting providers and their auditors and what the providers should do in order to run their operations safer.