In a digital landscape where enterprise systems are constantly under siege, cybersecurity is no longer optional—it’s mission-critical. This is especially true for SAP, one of the world’s most widely used ERP systems, which now operates in increasingly complex and interconnected environments. In the April 2025 issue of ERPNews, we sit down with two of the industry’s foremost SAP security experts: Gaurav Singh, Senior Manager of SAP Security at Under Armour, and Juan Pablo Perez-Etchegoyen, Chief Technology Officer at Onapsis.
Together, they unpack the modern threat landscape facing SAP users, challenge long-standing misconceptions, and offer an inside look at the new book they co-authored—a practical roadmap for safeguarding ERP systems against advanced cyber threats. From the dangers of credential-less exploits to the evolving responsibilities under RISE with SAP, this Q&A delivers critical insights for any organization looking to stay secure in the age of intelligent enterprise.
Gaurav Singh
Gaurav Singh is an SAP cybersecurity manager at Under Armour with more than 19 years of experience and a proven track record of helping organizations protect themselves from cyber threats while maximizing their SAP investments. In addition to his cybersecurity leadership role, Gaurav is an accomplished speaker and published author. He has presented at the SAP conference’s cybersecurity track, been featured in international journals, and been recognized as an SAP Insider Expert.
Gaurav’s expertise spans the entire spectrum of SAP security, including identity and access controls; governance, risk, and compliance; vulnerability management, threat management, incident response, and backup and disaster recovery. He is passionate about going beyond traditional SAP security to implement true cybersecurity, covering all aspects of SAP’s secure operations map, from infrastructure to cloud security.
- As a security leader at Under Armour, what key SAP security challenges do you see enterprises struggling with most frequently in today’s threat landscape?
The security culture around SAP is still a work in progress. Though there has been a shift for good, there is still a false sense of security due to governance, risk management, and compliance (GRC) driven SAP security. This limits enterprises and even their systems integrators (SIs) to GRC/traditional role-based security for SAP transformations, preventing organizations from truly protecting their business-critical environments from today’s sophisticated threat landscape.
- The book highlights that attackers can compromise SAP systems without user credentials. Can you share real-world examples or scenarios where this risk is especially critical?
SAP used to be an all-internal system where these threats were not significant. Yet, with SAP available over the internet with Software as a Service (SaaS) applications and SAP Business Technology Platform (BTP) platforms, like WorkZone and SAP.me, which is critical for many SAP customers, any compromise on user credentials and its exploit can be devastating.
We saw this recently in the Stoli Group attack, when the popular alcohol brand filed for bankruptcy in late 2024 following a ransomware attack that directly impacted the parent company’s IT system, and the company was unable to provide financial data.
- From your experience, what common misconceptions do business and IT leaders have about SAP security, and how can those be corrected?
As I mentioned, the biggest misconception is that we are doing everything we need to do with traditional role-based security (PFCG, user), GRC, and audits, that we don’t need to do anything around other areas, like vulnerability management, threat management. This leads the industry to think that we can solve vulnerable SAP environments by just implementing technology, which is also a misconception, but we need people, processes, along with technology to ensure that SAP systems are secure from all threats.
- How can organizations effectively apply SAP’s Secure Operations Map and NIST Cybersecurity Framework to build a robust defense strategy?
I would recommend starting with the National Institute of Standards and Technology cybersecurity framework (NIST CSF) to start the cybersecurity program for SAP, which includes govern, identity, protect, detect and respond functions, categories, sub categories and map them to specific security controls-around specific areas of SAP like applications using secure operations map. Using a widely adopted framework like NIST CSF and then complementing it with SAP security operations as a reference model, organizations can ensure they are doing their due diligence and due care for all aspects of SAP cybersecurity and continuously evolve to achieve higher tiers of their security maturity.
- What recommendations would you give to security teams working within large enterprises to balance compliance, operational needs, and proactive threat prevention?
The only recommendation would be to bring security culture into the SAP ecosystems and involve different teams like cyber, SAP security and Basis into one team and not have silos to ensure that different stakeholders keep performing their due diligence (compliance, keep the lights on) but are also proactive as a team to ensure threats are mitigated timely and collaboratively.
Juan Pablo Perez-Etchegoyen
Juan Perez-Etchegoyen is the chief technology officer at Onapsis. With more than 20 years of experience in the IT security field, JP is a leading expert in business-critical application security, specializing in safeguarding ERP landscapes. At Onapsis, he spearheads research and innovation, tackling the complex security challenges faced by organizations managing these critical systems. He guides the development of new products and oversees the acclaimed Onapsis Research Labs, driving cutting-edge cybersecurity research.
An experienced speaker and trainer, JP regularly presents at top-tier industry conferences like Black Hat, RSA, HackInTheBox, Oracle OpenWorld, and SAP TechEd. He is a founding member of the CSA Cloud ERP Working Group and has led numerous global cybersecurity consultancy projects for Fortune 500 companies, spanning penetration testing, vulnerability research, security auditing, and incident response, including leading responses to high-profile breaches affecting SAP applications.
- From a technology perspective, what makes SAP systems particularly vulnerable to sophisticated cyberattacks, and why do many of these threats go undetected?
I believe the most relevant word to answer this question is “complexity.” ERP applications in general, but SAP applications in particular, are very complex because these applications need to be able to serve complex business processes executed by hundreds of different business roles across the most diverse organizations. Because of that, the underlying technology supporting SAP applications is built by multiple processes, services ,and protocols. Understanding what security looks like in the context of a given organization requires an understanding of the possible risks and threats that could affect SAP applications.
Threat actors understand this and are increasingly targeting SAP applications, going undetected if organizations have not enabled and deployed the right level of visibility to be able to detect or stop these actors.
- As an ethical hacker and CTO at Onapsis, what were some of the most alarming vulnerabilities you’ve encountered in SAP environments?
Over time, SAP applications have faced a number of critical vulnerabilities, which SAP has been fixing while improving the overall security posture. Some of the most relevant ones that I recall are the RECON vulnerability (CVE-2020-6287), which generated a lot of threat activity due to the ease of exploitation and the impact of a successful exploitation, as it was the creation of an admin user on the target SAP application. The other critical exploit that is still relevant is 10KBLAZE, which allows an attacker to completely take over an SAP system and impacts current unsecured SAP applications.
Besides that, it is important to understand that security is a continuous process, as security vulnerabilities, even very critical ones, are patched periodically by SAP. Organizations need to be able to properly address them in a timely manner.
- The book introduces a practical roadmap for vulnerability management and incident response. Could you elaborate on how organizations can implement this roadmap effectively?
Through the different chapters, we explore the concepts of common vulnerabilities and exposures (CVEs), Common Weakness Enumeration (CWE) and other technical elements that are important to understand when you are dealing with vulnerabilities affecting SAP applications.
In regards to vulnerability management, we go through the basics. We also cover the elements of a successful vulnerability management program, providing examples of how to analyze different types of SAP Security Notes.
When it comes to incident response, we provide concrete examples of real incidents and detail the different sources of information you can use to understand what happened at any given time in an SAP application.
- How does the RISE with SAP shared responsibility model change the way organizations should approach their security strategy?
When it comes to RISE with SAP, there is an extensive list of tasks properly documented through the roles and responsibilities document, explaining which tasks are the responsibility of SAP to address and which tasks fall into the responsibilities of the SAP customer. For the most part, when it comes to infrastructure, operating systems and networking, SAP will take care of managing and securing it, however, when it comes to the SAP application and database, the customer will own responsibility for certain areas, and SAP will implement certain other changes.
Having said that, it is important to remember that even when migrating to RISE, it is always our data, and our data is our responsibility, which does not transfer in any way. We need to ensure due diligence and due care, while working with a cloud provider to define the controls that are in place to protect our data.
- Looking ahead, what role will automation, AI, and threat intelligence play in the next generation of SAP cybersecurity tools and protocols?
Automation and artificial intelligence (AI) are key players in the world of cybersecurity. With the current scale and volume of threats, attacks and vulnerabilities cannot be dealt with without the help of proper automation, which will continue evolving and improving with the integration of machine learning and AI.
AI will allow the industry to make better decisions when prioritizing security initiatives, both on the preventative side as well as from the defensive side of the house.
