I know what You Coded last Summer presented at Troopers 2015

by Xu Jia, Andreas Wiegenstein,

Summary : Are you aware that each of your SAP production systems statistically contains 9 security vulnerabilities in your own ABAP code that allow attackers to gain SAP_ALL privileges and thus take over complete control? This talk deals with an area usually ignored in SAP security concepts: custom code. It unveils unpleasant statistical results based on a code study of more than 200 large companies across the world that run SAP. It shows the most common and most critical security defects that exist in ABAP applications and provides guidance on how to deal with them.