The customer is a large global industrial manufacturer operating in the chemicals, polymers, and materials sector. Headquartered in the United States, the organization has a substantial international footprint, with operations in more than 20 countries and 10,000 employees worldwide. Its SAP landscape includes ECC, BW, GRC, and other solutions, supporting critical enterprise processes across manufacturing, supply chain, finance, and shared services.
Like many organizations using third-party support for SAP, the customer faced a significant cybersecurity challenge: it no longer had access to SAP-delivered corrections for security vulnerabilities through standard support channels. The transition to third party support created a significant security risk since the customer could not implement regular patches provided by SAP via security notes and support package notes.
The most pressing concern was how to address security notes for relevant vulnerabilities affecting SAP systems when the related patches were unavailable. For a company running business-critical SAP platforms, this introduced a material risk. Even when vulnerabilities were publicly known through CVE databases, the customer needed a reliable method to determine whether its systems were affected and, if so, how to reduce exposure without access to SAP corrections. Automated fixes are the preferred remediation path for SAP vulnerabilities. However, they are usually unavailable to customers on third-party support.
The customer engaged Layer Seven Security to determine whether the Cybersecurity Extension for SAP could provide a sustainable risk mitigation strategy for SAP cybersecurity while the organization remained outside SAP support.
The objectives were clear:
During an extended Proof Of Value (POV), Layer Seven Security used the Cybersecurity Extension for SAP to assess the customer’s SAP landscape and identify relevant security notes for impacted SAP systems based on installed components and release levels. The Cybersecurity Extension for SAP automates the discovery of required SAP security notes based on software components and versions.
Since the customer could not implement the required security notes, Layer Seven Security performed a detailed analysis of each relevant note to identify viable workarounds. This included reviewing the technical details of the notes, analyzing the vulnerable objects or attack surfaces and translating that analysis into practical mitigation guidance. The workarounds included restricting access, disabling vulnerable objects and services, where feasible, and hardening system settings.
In parallel, Layer Seven Security developed and added threat detection patterns to the Cybersecurity Extension for SAP for related CVEs to improve threat visibility and trigger alerts for signs of attempted exploitation. This included patterns for SAP logs to detect and alert on potential exploitation of SAP CVEs and forwarding of alerts to a SIEM solution.
The POV produced exceptionally strong outcomes.
Layer Seven Security successfully discovered and recommended workarounds for 100% of the relevant SAP security notes for the customer’s SAP systems. This provided the customer with a credible and actionable path to mitigate vulnerabilities despite lacking access to SAP-delivered patches.
In addition, Layer Seven Security identified and added threat detection patterns to the Cybersecurity Extension for SAP for 80% of the related CVEs. This significantly improved the customer’s ability to detect suspicious activity associated with known SAP vulnerabilities and strengthened compensating controls around patch unavailability.
Following completion of the POV, the customer licensed the Cybersecurity Extension for SAP and rolled out the solution to all systems in the SAP landscape.
Today, Layer Seven Security analyzes SAP hot news and high-priority SAP security notes every Patch Tuesday for SAP S/4HANA, ECC, Basis, and HANA. Workarounds are delivered through the Cybersecurity Extension for SAP for related SAP CVEs, wherever possible. This mitigates one of the most significant risks associated with third-party support: exposure to newly disclosed SAP vulnerabilities without direct access to vendor patches.
Customers also benefit from continuous threat detection coverage tied to patterns for relevant CVEs, enabling security teams to identify potential exploitation attempts. Beyond workaround management and threat detection, customers also mitigate risk through system hardening, vulnerability management, and improved visibility into insecure custom code. Together, these capabilities provide a more defensible security posture for SAP systems operating outside standard SAP support.
This experience demonstrated that organizations using third-party support for SAP do not need to accept unmanaged cyber risk as a trade-off. With the Cybersecurity Extension for SAP, the customer was able to calculate relevant security notes, identify workarounds for vulnerabilities, implement threat detection coverage for SAP CVEs, and operationalize a sustainable monthly process for addressing SAP security risks without direct access to security notes.