The SAP Debugger is a powerful tool used by developers and technical SAP consultants to analyze problems and simulate program flows. However, this tool poses a serious risk to SAP systems because it can be used to infiltrate or manipulate the database and even change the program flow. The combination of debugging privileges and changes to program variables is called “Debug & Change” in SAP lingo, and it is a critical authorization combination that should not be assigned in a productive SAP environment to protect the system from compromise.
The SAP Debugger can be called from all ABAP screen-based transactions using function code /h, and hidden features like starting a remote debug session with the SAP Debugger or letting the cursor jump from line 1 to next without executing the source code in-between can be used by attackers to gain unauthorized access to a user’s SAP session. Additionally, breakpoints can be set dynamically, and values of program variables can be changed to infiltrate or manipulate the database.
Remote ABAP Debugging is a feature that has been around since 2013. However, this feature can also be used by attackers to compromise the SAP system. Therefore, it is crucial to recognize an anomaly in usage behavior and detect indicators of compromise at an early stage to identify attacks. This can be achieved by regularly and promptly analyzing the activities in the associated SAP logs, such as the SAP Security Audit Log (SAL), but this can be time-consuming.
Developers cannot work without extensive authorizations, but the critical authorization combination of debugging privileges and changes to program variables should not be assigned in a productive SAP environment. The authorization object “S_DEVELOP” can be used to prevent the object type “DEBUG” in combination with activity ’02’ – changing values of fields and the function >Goto statement, and ’90’ debugging of sessions of other users. Additional protection can be achieved by using market solutions that can help detect anomalies or indicators of compromise for the SAP system.
Christoph Nagy, the CEO of SecurityBridge, has 20 years of working experience within the SAP industry. Nagy has utilized his knowledge to found SecurityBridge, a global SAP security provider, that now operates in the U.S. SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings and the detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.
In conclusion, while the SAP Debugger is a powerful tool for SAP developers and consultants, it can be a double-edged sword. The critical authorization combination of debugging privileges and changes to program variables should not be assigned in a productive SAP environment to protect the system from compromise. Additional protection can be achieved by regularly and promptly analyzing the activities in the associated SAP logs and using market solutions that can help detect anomalies or indicators of compromise for the SAP system. As the SAP Debugger’s power and danger go hand in hand, it is crucial to use it responsibly and to protect against potential threats.